Embed Size (px)
Citation preview
Ravikumar Sathyamurthy | @ShakthiRaviMicrosoft MVP | Office Servers and Services
Understanding Azure Active Directory and Enterprise Mobility & Security (EMS)
22/04/2017
Mobile-first, cloud-first reality
Data breaches
63% of confirmed data breaches
involve weak, default, or stolen
passwords.
63% 0.6%IT budget growth
Gartner predicts global IT spend
will grow only 0.6% in 2016.
Shadow IT
More than 80 percent of
employees
admit to using non-approved
software as a service (SaaS)
applications in their jobs.
80%
Identity as the control plane
On-premises
Windows ServerActive Directory
Identity as the control plane
On-premises
Windows ServerActive Directory
VPN
BYO
SaaSAzure
Cloud
Publiccloud
Customers
Partners
Identity as the control plane
On-premises
Windows ServerActive Directory
VPN
BYO
Microsoft Azure Active Directory
Azure
Cloud
Publiccloud
Customers
Partners
Customers
Azure AD as the control plane
On-premises
Partners
Azure
Cloud
Publiccloud
Microsoft Azure Active Directory
BYO
Windows ServerActive Directory
Identity as the core of enterprise mobility
Single sign-onSelf-service
Simple connection
On-premises
Other directories
Windows ServerActive Directory
SaaSAzure
Publiccloud
CloudMicrosoft Azure Active Directory
A comprehensive identity and
access management cloud
solution.
It combines directory services,
advanced identity governance,
application access management
and a rich standards-based
platform for developers
It is available in 3 editions: free,
Basic and Premium
What is Azure Active Directory?
33,000Enterprise Mobility +
Security | Azure AD
Premium enterprise
customers
>110kthird-party
applications used
with Azure AD
each month
>1.3
billion authentications every
day on Azure AD
More than
750 Muser accounts on
Azure AD
Azure AD
Directories
>10 M
>85% of Fortune 500
companies use
Microsoft Cloud
(Azure, O365, CRM Online, and PowerBI)
Every Office 365 and Microsoft Azure customer uses Azure Active Directory
• Microsoft “Identity Management as a Service
(IDaaS)” for organizations.
• Millions of independent identity systems
controlled by enterprise and government “tenants.”
• Information is owned and used by the controlling
organization—not by Microsoft.
• Born-as-a-cloud directory for Office 365. Extended
to manage across many clouds.
• Evolved to manage an organization’s relationships
with its customers/citizens and partners (B2C and
B2B).
Built on top of the free offering, provides a robust set of capabilities to empower enterprises with demanding needs on identity and access management
Additionally, Azure AD premium offers:
• An Enterprise SLA of 99.9%
• Usage rights to Identity Manager Server and CALs
Azure Active Directory Premium
Azure AD Editions: http://bit.ly/1gyDRoN
Provide one persona to the workforce for SSO to 1000s of cloud and on-premises apps
Manage access at scale
Manage identities and access at scale in the cloud
and on-premises
Ensure user and admin accountability with better security and governance
Enable business without borders
Stay productive with universal
access to every app and
collaboration capability
Azure Active Directory. Identity at the core of your business
1000s of apps, 1 identity
Cloud-powered protection
Strong support for modern,
cross-platform, cloud-friendly
APIs and protocols
Certification program for third
party federation servers &
services
Actively engaged in standards
bodies: IETF (OAuth, JOSE, SCIM,
ACE, …) OpenID, FIDO, etc.
Secure remote access to on-
premises
apps
Single sign
-on to mobile
apps
Support for
lift-and-
shift of
traditional
apps to
the cloud
Provide one persona to the modern workforce for SSO to 1000s of cloud and on-premises applications
Single sign-on
to SaaS apps
1000s of apps,1 identity
Azure AD
Connect(sync + sign on)
Active Directory
LDAP directories
Azure Active Directory Connect
ADFS
Sync engine
Consolidated deployment assistant for your identity bridge components.
All currently available sync engines will be replaced by the sync engine included in the Connect tool.
Assisted deployment of ADFS will be available through Azure Active Directory Connect.
ADFS is an optional component for authentication in hybrid implementation. Password sync can replace ADFS for more scenarios.
DirSync
Azure Active Directory Sync
FIM+Azure Active Directory Connector
ADFS
1000s OF APPS, 1 IDENTITY
Microsoft AzureActive Directory
Identity synchronization with password (hash) sync
Identity synchronization
User attributes are synchronized using
identity synchronization services,
including a password hash;
authentication is completed against
Azure Active Directory
User attributes are synchronized using
identity synchronization tools;
authentication is passed back through
federation and completed against
Windows Server Active Directory
ADFS
Microsoft AzureActive Directory
1000s OF APPS, 1 IDENTITY
Azure Active Directory Connect and Connect Health
*
MIM
*
Microsoft AzureActive Directory
HR apps
OTHER DIRECTORIES
PowerShell
SQL (ODBC)
LDAP v3
Web Services ( SOAP, JAVA, REST)
Connect and sync on-premises directories with Azure Active Directory
1000s OF APPS, 1 IDENTITY
Web apps
(Azure Active Directory Application Proxy)
Integrated
custom appsSaaS apps
OTHER DIRECTORIES
2700+ pre-integrated popular
SaaS apps and self-service integration via
templates
Connect and sync on-premises directories
with Azure
Easily publish on-premises web apps via
Application Proxy + custom apps
Microsoft Azure
1000s OF APPS, 1 IDENTITY
Co
rpo
rate
n
etw
ork
Microsoft AzureActive Directory
Connectors are usually deployed inside the corpnet next to the applications. They maintain an out-bound connection to the service
Multiple connectors can be deployed for redundancy, scale and access to different sites
Users connect to the ‘published’ apps and cloud service routes traffic to the backend applications via ‘connectors’
DM
Z
https://app1-
contoso.msappproxy.net/Application Proxy
http://app1
Cloud service that allows users to remotely access on-prem apps from securely from any device and any place
Different types of web-apps and APIs can be ‘published’
1000s OF APPS, 1 IDENTITY
AzureActive Directory
Lift-and-shift on-premises
apps to Azure IaaS
On-premises
Azure AD Connect
Windows Server Active Directory
Your Azure IaaS workloads/apps
Azure AD
Domain Services
Your virtual network
Azure
Kerberos
NTLM
LDAP
Group Policy
1000s OF APPS, 1 IDENTITY
Your domain controller as a service for lift-and-shift scenarios
What’s Next ?…EMS
Azure Protection
Enterprise Mobility & Security capabilities
Microsoft
Intune
Mobile device and app
management to protect corporate
apps and data on any device.
Managed Mobile Productivity
Microsoft Advanced Threat
Analytics
Identify suspicious activities &
advanced attacks on premises.
Microsoft
Cloud App Security
Bring enterprise-grade visibility,
control, and protection to your
cloud applications.
Identity Driven SecurityIdentity and access management
Azure Active Directory
Premium P1
Single sign-on to cloud and on-
premises applications. Basic
conditional access security
Azure Active Directory
Premium P2
Advanced risk based identity
protection with alerts, analysis, &
remediation.
Azure Information
Protection Premium P1
Encryption for all files and storage
locations. Cloud based file
tracking
Existing Azure RMS capabilities
Information Protection
Azure Information
Protection Premium P2
Intelligent classification, &
encryption for files shared inside &
outside your organization
Secure Islands acquisition
EM
S E3
EM
S E5
Enterprise Mobility & SecurityWindows 10 Enterprise
DEMOS!
Ease of use
for end usersAny time, any
place productivity
with Windows 10
Better connect
with your
consumers
Enable cross-
organization
collaboration
Enable business without borders
Stay productive everywhere with easy access to every application and powerful collaboration capabilities across location, application, and device borders
Intune/MDM
auto-enrollment
Azure Active Directory Join makes it possible
to connect work-owned Windows 10 devices
to your company’s Azure Active Directory
Enterprise-compliant services
SSO from the desktop to cloud and
on-premises applications with no VPN
Support for hybrid environments
MDM auto-enrollmentWindows 10 Azure AD
joined devices
ENABLE BUSINESS WITHOUT BORDERS
Enterprise State Roaming
Manage access at scale
Advanced user
lifecycle management
Monitor your
identity bridge
Manage identities at scale in the cloud and on-premises
Low IT
overhead
Centralized access administration for pre-integrated SaaS apps and other cloud-based apps
Dynamic groups, device registration, secure business processes with advanced access management capabilities
Comprehensive identity and access management console
IT professional
MANAGE ACCESS AT SCALE
Provisioning and deprovisioning with customization options
Cloud-powered protection
Protect against
advanced threats
Mitigate
administrative
risks
Ensure accountability with better security and governance
Conditional
access to resources
Compliance
reporting
R
X
IDENTITY-DRIVEN SECURITY
Conditions
Allow access or
Block access
Actions
Enforce MFA per
user/per app
User, App sensitivity
Device state
LocationUser
NOTIFICATIONS, ANALYSIS, REMEDIATION, RISK-BASED POLICIES
CLOUD APP DISCOVERY PRIVILEGED IDENTITY MANAGEMENT
MFA
IDENTITY PROTECTION
Risk
On-premises
applications
Microsoft Azure
1AAD Self Service-Password
Reset & Group ManagementAAD Privileged Identity
Management & AAD Identity Protection
New Conditional Access
2 3
Everything You Want to, Need to, and/or Should Know About EMS in 2017
Try Enterprise Mobility + Security for free, today:https://aka.ms/EMSTrial
Read the CIO’s guide to Azure Active Directoryhttps://aka.ms/AzureADCIOGuide
Explore Identity + Access Managementwww.microsoft.com/identity
Learn more from the Azure AD documentation libraryhttps://aka.ms/AzureADDoc
Discover Password best practiceshttps://aka.ms/PasswordBestPractices
Check out the new Azure AD webinarshttps://aka.ms/AADWebinars
Microsoft is a leader in Gartner's IDaaS MQ 2016https://aka.ms/GartnerIDaaSMQ2016
Review design considerations for your hybrid Azure ADhttps://aka.ms/HybridAzureADConsiderations
Questions?
