4. Identity as the core of enterprise mobility
Single sign-on
Microsoft Azure Active Directory
Self-service
Simple connection
On-premises
Other
directories
Windows Server
Active Directory
SaaSAzure
Public
cloud
Cloud
5. Enable users to access company data from anywhere
On-Premises Apps
(e.g. HR or SharePoint)
Custom Web or Native Apps
(e.g. Mobile App or LOB App)
SaaS apps
(e.g. Concur or Salesforce)
OTHER DIRECTORIES
2500+ pre-integrated popular
SaaS apps and self-service integration via
templates
Connect and sync on-premises directories
with Azure
Easily publish on-premises web apps via
Application Proxy + custom apps
Microsoft Azure AD
6. Corporate
network
Microsoft Azure
Active Directory
Connectors are deployed usually on
corpnet next to resources
Multiple connectors can be deployed
for redundancy, scale, multiple sites,
and different resources
Users connect to the cloud service
that routes their traffic to
resources via the connectors
A connector that auto-connects
to the cloud service
DMZ
https://app1-
contoso.msappproxy.net/
Application Proxy
http://app1
Easily and securely publish modern and legacy on-prem apps
8. Microsoft Azure
Active Directory
Microsoft Azure
Identity synchronization with
password (hash) sync
Identity
synchronization
User attributes are synchronized using
identity synchronization services,
including a hash of the Active
Directory password hash;
authentication is completed against
Azure Active Directory
User attributes are synchronized using
identity synchronization tools;
authentication is passed back through
federation and completed against
Windows Server Active Directory
ADFS
SynchronizedFederated
Identity models leveraging on-premises investments
9. Azure Active
Directory Connect
ADFS
Sync engine
Azure Active Directory Connect
Consolidated deployment assistant
for your identity bridge
components.
All currently available sync engines
will be replaced by the sync engine
included in the Connect tool.
Assisted deployment of ADFS will
be available through Azure Active
Directory Connect.
ADFS is an optional component for
authentication in hybrid
implementation. Password sync can
replace ADFS for more scenarios.
DirSync
Azure Active
Directory Sync
FIM+Azure Active
Directory Connector
ADFS
10. What is synchronized? What is not synchronized? DirSync WriteBack?
• All Users
• Groups
• Mail-enabled objects
Objects added, deleted or
modified on premises are
reflected in Office 365
• Built-in administrative
accounts and group
• Default Active Directory
administrative groups
• Default Exchange
administrative groups
• Exchange System mailbox
accounts
In hybrid deployments, a
handful of properties are
written back to on-premises
AD to support message
routing and some advanced
features
with Azure Active Directory Connect
12. A standalone Azure identity and
access management service, also
included in Azure Active Directory
Premium
Prevents unauthorized access to
both on-premises and cloud applications
by providing an additional level of
authentication
Used by thousands of enterprises
to authenticate billions of user requests
per day
13. How does MFA work?
Windows
App
Proxy
PERIMETER
(DMZ)
ADFS / MFA
Active Directory
SharePoint Farm
1
2
3
45
67
8
9
Azure MFA
Service
1. User connects to resource that is configured for MFA2. Authentication request goes to the MFA Server3. MFA Server reaches out to identity provider (AD, in our case)4. Identity provider (AD) returns authentication response to MFA Server5. MFA Server reaches out to the cloud MFA Service6. Cloud MFA Service performs 2nd factor auth with user device/phone7. User responds to authentication call / mobile notification / request for code
8. If 2nd factor auth is successful, Cloud MFA Service responds to MFA
Server with success
9. Server responds to requesting resource with successful authentication10. User accesses resource (SharePoint via WAP/ADFS)
CORPORATE
NETWORK
AZURE
14. Azure combines previous
authenticator apps into a new app
which works with both Microsoft
accounts and Azure AD accounts
Best in breed MFA experience through
one-click push notifications
Support for wearables
Fingerprints instead of passcodes
Certificate-based authentication
Multi-factor Authentication for AAD & Microsoft Accounts
15. MONITOR AND PROTECT
MFA for Office 365/Azure
Administrators
Azure Multi-Factor
Authentication
Administrators can enable/enforce MFA to end users Yes Yes
Use mobile app (online and OTP) as second authentication factor Yes Yes
Use phone call as second authentication factor Yes Yes
Use SMS as second authentication factor Yes Yes
Application passwords for non-browser clients (e.g., Outlook, Lync) Yes Yes
Default Microsoft greetings during authentication phone calls Yes Yes
Suspend MFA from known devices Yes Yes
Custom greetings during authentication phone calls Yes
Fraud alert Yes
MFA SDK Yes
Security reports Yes
MFA for on-premises applications/ MFA server Yes
One-time bypass Yes
Block/Unblock users Yes
Customizable caller ID for authentication phone calls Yes
Event confirmation Yes
Trusted IPs Yes
17. Intune/MDM
auto-enrollment
Azure Active Directory Join makes it
possible to connect work-owned
Windows 10 devices to your
company’s Azure Active Directory
Enterprise-compliant services
SSO from the desktop to cloud and
on-premises applications with no VPN
Support for hybrid environments
MDM auto-enrollment
Windows 10 Azure AD
joined devices
19. On-premises
applications
APPLICATION
Per app policy
Type of client
Business sensitivity
OTHER
Network location
Risk profile
DEVICES
Are domain joined
Are compliant
Platform type (Windows,
iOS, Android)
USER ATTRIBUTES
User identity
Group memberships
Auth strength (MFA)
• Allow
• Enforce MFA
• Block
Brute force attacks
Leaked credentials
Infected devices
Suspicious sign-in activities
Configuration vulnerabilities
with AAD Conditional Access
21. Public Preview
Your Perimeter Mobility External Sharing
Company Internal Managed Devices External Sharing
11001
01010
00011
10101
11001
01010
00011
10101
22. CLASSIFY
PROTECTMONITOR
RESPOND
The integration of Azure RMS
and Secure Islands for
comprehensive, information
protection solution that
protects data at every stage.
Data
LABELFILE
http://bit.ly/2bFoIVl
23. Azure AD Premium offers multiple
options for managing identities
You can manage and monitor
access across devices for users in
the office or remote
Data security and sovereignty can
be assured
Sign up for your free Azure and Azure AD
Premium trial and test for yourself