• Technical Community Events (founded by the CIP Program)

• Deep Microsoft-technology based discussions and opportunity to

network / bring technical community together

• Opportunity to evangelize, promote and sell Microsoft Products and

Services

• Flagship Technical Community event for the Community Immersion

program – Role-model for other events and communities+

• Over 2500 members!!

• Location Information Links:

http://www.meetup.com/mttcharlotte

http://www.meetup.com/mtttempe

http://www.meetup.com/mttsocal

http://www.meetup.com/mttlasvegas

http://www.meetup.com/mttpacwest

http://www.meetup.com/mttdetroit

http://www.meetup.com/mttnorcal

http://www.meetup.com/mttatlanta

GROUP ESTABLISHED MEMBERS ON 12/1/16

MTT So-Cal JAN 2015 238

MTT Charlotte MAR 2017

MTT Tempe SEP 2014 220

MTT Nor-Cal SEP 2015 226

MTT Pac West DEC 2015 394

MTT Las Vegas SEP 2015 224

MTT Detroit MAY 2016 127

MTT Atlanta OCT 2016 43

RodneyJ@microsoft.comjaalmond@microsoft.com

http://www.meetup.com/mttcharlotte

Azure AD: Unified Identity and Access Management

Active Directory

Published On Premise

Applications

• On-Premises user accounts can be synchronized

with Azure ADConnect

• This enables users to access MS and Non-MS

SaaS and published on premise applications

• Enables seamless access from any device

• Azure/On-Prem ADFS access control policies can

be implemented for the devices

• Intune ensures the security compliance and

effective MDM for the devices

https://azure.microsoft.com/en-us/documentation/articles/active-directory-aadconnect-dirsync-upgrade-get-started/

https://azure.microsoft.com/en-us/documentation/articles/active-directory-aadconnect-upgrade-previous-version/

https://azure.microsoft.com/en-us/documentation/articles/active-directory-aadconnect-topologies/

93%

5% 2%

Single Forest 1 Other Forest More than 1 forest

User / Contact Matching in AAD Connect

https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-

aadconnect-topologies#multiple-forests-single-azure-ad-tenant

Lightweight agent on premise

Authentication happens on premise

88%

4%4%

2% 2% 0%

Active Users

ADFS Ping Others GoDaddy Okta Novell

Microsoft Confidential

Microsoft Confidential 27

Now supports

2016

Contoso Corpnet

Azure AD STS

1 2

3

4

5

6

78

Connector

2

Azure AD STS

Azure AD

1

2

3

Contoso Corpnet

5

Contoso Corpnet

AAD STS

12

3

6

4

https://autologon.microsoftazuread-sso.com

https://aadg.windows.net.nsatc.net

Consideration Password Hash

Synchronization (with

SSO(preview))

ADFS Pass-through

Authentication with SSO (Preview)

Where does the

authentication happen?

In the cloud On-premises On-premises

Where does the user

enter the credentials?

In the cloud On-premises (through proxy in DMZ)

In the cloud (transmitted

securely to on-premises agent)

Is there any on-premises

infrastructure needed

beyond Azure AD

Connect?

No Yes – At least 2

ADFS servers and 2

proxies in DMZ

Yes – 1 or more lightweight

agents that can be installed

on any existing servers

(including DCs) with no

DMZ requirements

Do my users get single

sign-on to cloud

resources from domain-

joined devices within

company network?

Yes (with SSO feature) Yes Yes (with SSO feature)

Consideration Password Hash

Synchronization (with

SSO)

ADFS Pass-through

Authentication with

SSO

What login types does it

support?

U/P U/P, WIA, Cert-based auth,

SmartCard,

U/P

What MFA options do I

have?

Azure MFA Azure MFA, Azure On-premises

MFA, 3rd party MFA (RSA,

Safenet, HID Global,

Symantec,…)

Azure MFA

What Conditional Access

options do I have?

Azure AD Conditional

Access

Azure AD Conditional Access as

well as additional on-premises

levers

Azure AD Conditional

Access

Does it support alternate

login ID?

Yes Yes Not yet

Does it support legacy

application & EAS

clients?

Yes Yes No

What is Multi-Factor Authentication?

The use of two or more of the following factors:

It’s stronger when two different channels are used (out-of-band authentication).

What is Azure Multi-Factor Authentication?

It is an Azure Identity and Access management service that prevents unauthorized access to on-premises and cloud applications by providing an additional level of authentication.

It is trusted by thousands of enterprises to authenticate employee, customer, and partner access.

No devices or certificates to purchase, provision, and maintain

No user training is required

Users replace their own lost or broken phones

Users manage their own authentication methods

and phone numbers

Integrates with existing directory for centralized user

management and automated enrollment

Strong multi-factor authentication

Real-time fraud alert

PIN option

Reporting and logging for auditing

Enables compliance with National Institute of Standards and

Technology (NIST) 800-63 Level 3, HIPAA,

PCI DSS, and other regulatory requirements

Works with all leading on-premises applications

Supports AD FS and SAML-based apps for federation to the cloud

Built into Microsoft Azure Active Directory for use with cloud apps

SDK for integration with custom apps and directories

Reliable, scalable service supports high-volume,

mission-critical scenarios

Mobile Apps

How It Works

Phone calls Text messages

Azure MFA stand-alone

• Included in Azure Active Directory Premium

• Free for Azure administrators

• A subset of Azure MFA functionality that is included in Office 365

Feature Multi-factor authentication For

Office 365 (included in Office 365

SKUs)

Multi-factor Authentication For Azure

Administrators (Included With An Azure

Subscription)

Azure MFA (included In Azure AD Premium and Enterprise

Mobility Suite)

Administrators can protect

accounts with MFA

YES * (Available only for Azure Administrator

accounts)

YES

Mobile app as a second factor YES YES YES

Phone call as a second factor YES YES YES

SMS as a second factor YES YES YES

App passwords for clients

that don't support MFA

YES YES YES

Admin control over

authentication methods

YES

PIN mode YES

Fraud alert YES

MFA reports YES

One-time bypass YES

Custom greetings

for phone calls

YES

Customization of caller ID

for phone calls

YES

Event confirmation YES

Trusted IPs YES

Suspend MFA for recognized

devices (public preview)

YES

MFA SDK YES

MFA for on-premises

applications using MFA server

YES

Users must use their phone or mobile device to authenticate before access is granted.1

Per Application Per Group

Conditional

Access

Per User

These apply broadly... Federated, PW SSO, Azure AD App Proxy

Managed Users Per

Authentication

For all new users

Manage Multi-Factor Auth Per user App passwords Trusted IPs Remember deviceEnabled |Enforced| Disabled

Phone

Verification

Mobile App Phone Call

Push Notification | OTPConfigure with QR Code

2 out-of-band stronger!

Text | CallLand, Cell, VOIP

First time login, user selects

IoSAndroid

Windows

App Password

OutlookApple Mail

Microsoft Office

For apps that can t use phone

The user database is not shared!

• Easy to Deploy

• Risk Based access policy

• Per Application flexibility

• Unified Management via Azure Portal