Upload
others
View
5
Download
0
Embed Size (px)
Citation preview
• Technical Community Events (founded by the CIP Program)
• Deep Microsoft-technology based discussions and opportunity to
network / bring technical community together
• Opportunity to evangelize, promote and sell Microsoft Products and
Services
• Flagship Technical Community event for the Community Immersion
program – Role-model for other events and communities+
• Over 2500 members!!
• Location Information Links:
http://www.meetup.com/mttcharlotte
http://www.meetup.com/mtttempe
http://www.meetup.com/mttsocal
http://www.meetup.com/mttlasvegas
http://www.meetup.com/mttpacwest
http://www.meetup.com/mttdetroit
http://www.meetup.com/mttnorcal
http://www.meetup.com/mttatlanta
GROUP ESTABLISHED MEMBERS ON 12/1/16
MTT So-Cal JAN 2015 238
MTT Charlotte MAR 2017
MTT Tempe SEP 2014 220
MTT Nor-Cal SEP 2015 226
MTT Pac West DEC 2015 394
MTT Las Vegas SEP 2015 224
MTT Detroit MAY 2016 127
MTT Atlanta OCT 2016 43
[email protected]@microsoft.com
http://www.meetup.com/mttcharlotte
Azure AD: Unified Identity and Access Management
Active Directory
Published On Premise
Applications
• On-Premises user accounts can be synchronized
with Azure ADConnect
• This enables users to access MS and Non-MS
SaaS and published on premise applications
• Enables seamless access from any device
• Azure/On-Prem ADFS access control policies can
be implemented for the devices
• Intune ensures the security compliance and
effective MDM for the devices
https://azure.microsoft.com/en-us/documentation/articles/active-directory-aadconnect-dirsync-upgrade-get-started/
https://azure.microsoft.com/en-us/documentation/articles/active-directory-aadconnect-upgrade-previous-version/
https://azure.microsoft.com/en-us/documentation/articles/active-directory-aadconnect-topologies/
93%
5% 2%
Single Forest 1 Other Forest More than 1 forest
User / Contact Matching in AAD Connect
https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-
aadconnect-topologies#multiple-forests-single-azure-ad-tenant
Lightweight agent on premise
Authentication happens on premise
88%
4%4%
2% 2% 0%
Active Users
ADFS Ping Others GoDaddy Okta Novell
Microsoft Confidential
Microsoft Confidential 27
Now supports
2016
Contoso Corpnet
Azure AD STS
1 2
3
4
5
6
78
Connector
2
Azure AD STS
Azure AD
1
2
3
Contoso Corpnet
5
Contoso Corpnet
AAD STS
12
3
6
4
https://autologon.microsoftazuread-sso.com
https://aadg.windows.net.nsatc.net
Consideration Password Hash
Synchronization (with
SSO(preview))
ADFS Pass-through
Authentication with SSO (Preview)
Where does the
authentication happen?
In the cloud On-premises On-premises
Where does the user
enter the credentials?
In the cloud On-premises (through proxy in DMZ)
In the cloud (transmitted
securely to on-premises agent)
Is there any on-premises
infrastructure needed
beyond Azure AD
Connect?
No Yes – At least 2
ADFS servers and 2
proxies in DMZ
Yes – 1 or more lightweight
agents that can be installed
on any existing servers
(including DCs) with no
DMZ requirements
Do my users get single
sign-on to cloud
resources from domain-
joined devices within
company network?
Yes (with SSO feature) Yes Yes (with SSO feature)
Consideration Password Hash
Synchronization (with
SSO)
ADFS Pass-through
Authentication with
SSO
What login types does it
support?
U/P U/P, WIA, Cert-based auth,
SmartCard,
U/P
What MFA options do I
have?
Azure MFA Azure MFA, Azure On-premises
MFA, 3rd party MFA (RSA,
Safenet, HID Global,
Symantec,…)
Azure MFA
What Conditional Access
options do I have?
Azure AD Conditional
Access
Azure AD Conditional Access as
well as additional on-premises
levers
Azure AD Conditional
Access
Does it support alternate
login ID?
Yes Yes Not yet
Does it support legacy
application & EAS
clients?
Yes Yes No
What is Multi-Factor Authentication?
The use of two or more of the following factors:
It’s stronger when two different channels are used (out-of-band authentication).
What is Azure Multi-Factor Authentication?
It is an Azure Identity and Access management service that prevents unauthorized access to on-premises and cloud applications by providing an additional level of authentication.
It is trusted by thousands of enterprises to authenticate employee, customer, and partner access.
No devices or certificates to purchase, provision, and maintain
No user training is required
Users replace their own lost or broken phones
Users manage their own authentication methods
and phone numbers
Integrates with existing directory for centralized user
management and automated enrollment
Strong multi-factor authentication
Real-time fraud alert
PIN option
Reporting and logging for auditing
Enables compliance with National Institute of Standards and
Technology (NIST) 800-63 Level 3, HIPAA,
PCI DSS, and other regulatory requirements
Works with all leading on-premises applications
Supports AD FS and SAML-based apps for federation to the cloud
Built into Microsoft Azure Active Directory for use with cloud apps
SDK for integration with custom apps and directories
Reliable, scalable service supports high-volume,
mission-critical scenarios
Mobile Apps
How It Works
Phone calls Text messages
Azure MFA stand-alone
• Included in Azure Active Directory Premium
• Free for Azure administrators
• A subset of Azure MFA functionality that is included in Office 365
Feature Multi-factor authentication For
Office 365 (included in Office 365
SKUs)
Multi-factor Authentication For Azure
Administrators (Included With An Azure
Subscription)
Azure MFA (included In Azure AD Premium and Enterprise
Mobility Suite)
Administrators can protect
accounts with MFA
YES * (Available only for Azure Administrator
accounts)
YES
Mobile app as a second factor YES YES YES
Phone call as a second factor YES YES YES
SMS as a second factor YES YES YES
App passwords for clients
that don't support MFA
YES YES YES
Admin control over
authentication methods
YES
PIN mode YES
Fraud alert YES
MFA reports YES
One-time bypass YES
Custom greetings
for phone calls
YES
Customization of caller ID
for phone calls
YES
Event confirmation YES
Trusted IPs YES
Suspend MFA for recognized
devices (public preview)
YES
MFA SDK YES
MFA for on-premises
applications using MFA server
YES
Users must use their phone or mobile device to authenticate before access is granted.1
Per Application Per Group
Conditional
Access
Per User
These apply broadly... Federated, PW SSO, Azure AD App Proxy
Managed Users Per
Authentication
For all new users
Manage Multi-Factor Auth Per user App passwords Trusted IPs Remember deviceEnabled |Enforced| Disabled
Phone
Verification
Mobile App Phone Call
Push Notification | OTPConfigure with QR Code
2 out-of-band stronger!
Text | CallLand, Cell, VOIP
First time login, user selects
IoSAndroid
Windows
App Password
OutlookApple Mail
Microsoft Office
For apps that can t use phone
The user database is not shared!
• Easy to Deploy
• Risk Based access policy
• Per Application flexibility
• Unified Management via Azure Portal