Accelerate your journey to the cloud with integrated identityEnterprise MobilityITPRO05

What we will discuss

Get identities to the cloud

Mix on-premises and cloud identity for improved PC, mobile, and web productivity

Cloud identities help you run your business better

The current reality…

EC2

Single sign-on

Self-service

Simple connection

•••••••••••

Username

Identity as the control plane

Cloud

SaaSAzure

Other directories

Windows ServerActive Directory

On-premises

Microsoft Azure Active Directory

Office 365Publiccloud

Managed: Microsoft System Center Configuration Manager

On-premises LOB applications, traditional productivity

iOS, Android, Windows Phone, BYOD

Mobile apps, shadow IT SaaS solutions

Managed: Microsoft Intune connected to System Center Configuration Manager

On-premises LOB applications, managed SaaS, Office 365 hybrid deployment, Azure Active Directory implementation

Deployment of cloud-enabled rich clients

Managed cloud identities with Multi-Factor Authentication

Managed by EMS: combination of mobile clients (iOS, Android) and cloud-enabled clients (Windows 10)

Managed SaaS and Office 365 Enterprise, full Azure IAM

Identity and access management evolution

On-premises Event – Mobility Hybrid Event-Win 8.x/10 Cloud

Azure Active Directory

Azure Active Directory momentum

Copyright (c) 2015 Microsoft Corporation6

1 TrillionAzure AD authentications since the release of the service

>35kThird party applications used with Azure AD each month

>1 Billion authentications every day on Azure AD

More than

500 M

user accounts on Azure Active Directory

Azure AD manages identity data for

>7 M organizations

86% of Fortune 500 companies on Microsoft Cloud (Azure, O365, CRM Online and PowerBI)

• Microsoft’s “Identity Management as a Service (IDaas)” for organizations

• Azure Active Directory supports identity across Azure, Office 365 and 3rd party clouds

• Evolved to manage an organization’s relationships with its customers/citizens and partners (B2C and B2B)

Scenario #1Get identities to the cloud

Customer story: British AirwaysChallenge• Employees operate in more than 75 countries• How do they encourage employees to connect?• Colleagues are not often behind PCs

Solution• Share identity with your directory in the cloud• Encourage collaboration with Yammer!• Focus on web-based productivity from anywhere

Approach• On-premises identity shared to the cloud

Federated identitySynchronized identity

On-premisesdirectory

On-premisesdirectory

Azure AD Connect

On-premisesidentity

On-premisesidentity

Azure AD ConnectFederation

Office 365 identity models

Zero on-premises servers

Cloud identity

Synchronized identity model

Password hashes

User accounts

User

Sign in

Azure AD Connect

On-premises directory

Synchronized identity

Azure AD

Hash

Extra securit

y

Password

On-premisesdirectory

Password hash sync securityPassword hash AD DSIt is not reversible to get the user’s password.

A hashHashes are mathematical functions that are nearly impossible to reverse.The result of the hash algorithm is called a digest.

Additional processingWe further process it with a one-way hash SHA256 algorithm.Connections are only to the Azure AD service and are SSL encrypted.

Enables Azure AD to validate the user’s password when they log on.

User

DemoTaskSynchronize cloud-ready identities with Azure AD Connect

Steps1) Install Azure AD Connect2) Review four-step Express settings3) Customize apps4) Customize attributes5) Customize writeback

ResultIdentities are in the cloud and ready for SSO to Office 365

Making the scenario successful

Tip #1Perform an Active Directory health check first to make sure your identities are cloud-ready

Tip #2For most organizations, Azure AD Connect’s Express settings work well

Tip #3Azure AD Connect offers write back of passwords, users, groups, and devices

Scenario #2Mix on-premises and cloud identity for improved PC, mobile, and web productivity

Customer story: Aston MartinChallenge• Need security and compliance for a global brand• 15-person IT department demands ease-of-use• Must protect intellectual property

Solution• Group policy on-premises, conditional-access cloud• MDM for Office 365 to enforce mobile security• Azure RMS for file encryption and policy

Approach• Hybrid identity, still evolving

Federated identity

Federated identity model

Password hashes

User accounts

Sign in

On-premises directory

Authentication

Authentication

User

Azure AD Connect

AD FS

AD FS

Password sync backup for federated sign on

Backup password hash sync

User accounts

On-premises directory

This new backup solution for Office 365 customers using federated sign on provides the option to manually switch their domain in a short amount of time during outages, such as on-premises power loss, internet connection interruption, and any other on-premises outages.

Azure AD Connect

Federated identity

AD FS is also easy

Use experienced deployment staff

Use Azure AD Connect

Read the TechNet Deployment Guidehttp://technet.microsoft.com/en-us/library/jj205462.aspx

Only implement the Office 365 requirementsThe only certificate required is the SSL certificate

Prepare with firewall update permissions

DemoTaskUse Azure AD Connect to sync username, etc., and AD FS for password authentication

Steps1) Modify Azure AD Connect installation2) Review optional AD FS configuration3) Deploy AD FS for password proxy authentication4) Enable Office 365 backup password hash5) Consider AD FS load balanced or high availability

ResultSSO to Office 365 optionally without password hash sync

Making the scenario successful

Tip #1Determine if security or compliance policies within your organization require this configuration

Tip #2AD FS requires additional servers to implement, so plan hardware and system requirements accordingly

Tip #3Windows Server 2012 R2 AD FS is currently required for use with Azure AD Connect

Scenario #3Cloud identity helps you run your business better

Customer story: GameStopChallenge• More than 6,000 locations worldwide• The gamer experience thrives on loyalty• Retail portal needed to ensure consistency

Solution• Focus on an excellent user experience• Superior level of security required• GameStop retail portal built in Microsoft’s cloud

Approach• Cloud identity managed in Azure AD

Cloud identity model

User accounts

User

http://portal.office.com

Azure Active Directory

Cloud identity

DemoTaskUse cloud identity with Office 365

Steps1) Log on to the Office 365 admin center2) Under “users and groups,” review configuration3) Create a user profile4) Edit profile5) Review “settings” and “licenses”

ResultVersatile, cloud-only identities, ready for Office 365

Making the scenario successful

Tip #1Cloud-only identities are well suited to a distributed, mobile workforce

Tip #2Rich profile information in Office 365 can provide useful identity information

Tip #3Make sure to assign an Office 365 license to your users

What we discussed

Get identities to the cloud

Mix on-premises and cloud identity for improved PC, mobile, and web productivity

Cloud identities help you run your business better

Next steps

To explore• Try Enterprise Mobility now• http://www.microsoft.com/ems• TechNet @

http://technet.microsoft.com/• MSDN @ http://www.msdn.com/• http://aka.ms/ITInnovation

To doRate the session

Q&AAccelerate your journey to the cloud with integrated identity

© 2015 Microsoft Corporation. All rights reserved.