BYOD ESSENTIALS FOR IT PROS SANDER BERKOUWER, DirTeam.

Slides:



Advertisements
Similar presentations
Office 365 Identity June 2013 Microsoft Office365 4/2/2017
Advertisements

Agenda AD to Windows Azure AD Sync Options Federation Architecture
Core identity scenarios Federation and synchronization 2 3 Identity management overview 1 Additional features 4.
SIM403. Claims Provider Trust Relying Party x Relying Party Trust Claims Provider Trust Your ADFS STS Partner ADFS STS & IP Relying Party Trust Partner.
Implementing and Administering AD FS
SharePoint Server Exchange Server CORPORATE NETWORK Mobile devices PCs Browsers INTERNET DMZ Active Directory Policies Filter EAS Filter web access.
Federated sign-in WS-Federation WS-Trust SAML 2.0 Metadata Shibboleth Graph API Synchronize accounts Authentication.
Microsoft Ignite /16/2017 4:55 PM
Today’s challenges Deliver applications to mobile platforms (BYOD) Respond to dynamic business requirements for IT: Seasonal/temporary workers Vendors.
Windows Server 2012 R2 Capabilities for BYOD Scenario Yuri Diogenes Senior Knowledge Engineer Data Center, Devices & Enterprise Client – CSI Team’s Page:
Empowering Small Businesses: Microsoft Office 365 P-Suite Danny Burlage MVP Office 365 Wortell.
SIM205. (On-Premises) Storage Servers Networking O/S Middleware Virtualization Data Applications Runtime You manage Infrastructure (as a Service)
Demi Albuz SENIOR PRODUCT MARKETING MANAGER Samim Erdogan PRINCIPAL ENGINEERING MANAGER Thomas Willingham TECHNICAL PRODUCT MANAGER.
Empower Enterprise Mobility Jasbir Gill Azure Mobility.
Matt Steele Senior Program Manager Microsoft Corporation SESSION CODE: SIA326.
Microsoft Windows 8.1 Enterprise: A brief overview of Microsoft Windows 8 Enhancements. Welcome!
OUC204. Recently Announced… Identity Integration Options 2 3 Identity Management Overview 1.
MCSE Guide to Microsoft Exchange Server 2003 Administration Chapter Four Configuring Outlook and Outlook Web Access.
Christopher Chapman | MCT Content PM, Microsoft Learning, PDG Planning, Microsoft.
Module 5 Configuring Authentication. Module Overview Lesson 1: Understanding Classic SharePoint Authentication Providers Lesson 2: Understanding Federated.
Microsoft ® Official Course Module 13 Implementing Windows Azure Active Directory.
PCIT313. Today’s challenges Deliver applications to mobile platforms (BYOD) Respond to dynamic business requirements for IT: Seasonal/temporary workers.
Empowering people-centric IT Unified device management Access and information protection Desktop Virtualization Hybrid Identity.
Paul Andrew. Recently Announced… Identity Integration Options 2 3 Identity Management Overview 1.
Alessandro Cardoso Microsoft MVP | Readify National Manager |
Access and Information Protection Product Overview Andrew McMurray Technical Evangelist – Windows
Are cybersecurity threats keeping you up at night? Your people go everywhere with devices, do the apps and data they need go with them? Can you adopt.
Get identities to the cloud Mix on-premises and cloud identity for improved PC, mobile, and web productivity Cloud identities help you run your business.
Access resources in a federation partner organization.
Microsoft Virtual Academy Preparing for the Windows 8.1 MCSA Module 5: Managing Devices & Resource Access.
1 Active Directory Service in Windows 2000 Li Yang SID: November 2000.
User and Device Management
MCSE Guide to Microsoft Exchange Server 2003 Administration Chapter One Introduction to Exchange Server 2003.
Pat Fetty – Principal PM Manager Securing your mobile assets with Microsoft Intune WIN33 1.
Slavko Kukrika MVP Connect Windows 10 to the Cloud – Cloud Join.
Why EMS? What benefit does EMS provide O365 customers Manage Mobile Productivity Increase IT ProductivitySimplify app delivery and deployment LOB Apps.
EDISCOVERY AND ARCHIVING IN OFFICE 365 Scott Schnoll, Microsoft Corporation.
Agenda  Microsoft Directory Synchronization Tool  Active Directory Federation Server  ADFS Proxy  Hybrid Features – LAB.
Active Directory Domain Services (AD DS). Identity and Access (IDA) – An IDA infrastructure should: Store information about users, groups, computers and.
Sander Berkouwer Microsoft MVP Directory Services Microsoft Netherlands Virtual Technical Evangelist Blogger on DirTeam.com ServerCore.Net.
Internet of Things Windows IoT for small devices CATALIN GHEORGHIU I Computer Solutions.
Tomaž Čebul Principal Consultant Microsoft Bring Your Own Device, kaj pa je to?
Enabling the Modern Workstyle with Windows 10 & Azure Active Directory Venkatesh Gopalakrishnan 2016 Redmond Summit | Identity Without Boundaries May 25,
EMS in action Hugh Simpson-Wells and Mark Riley 2016 Redmond Summit | Identity Without Boundaries
ADFS - Does it Still have a Place? Fitting into the EMS puzzle Frank C. Drewes III 2016 Redmond Summit | Identity.
Azure Active Directory Uday Hegde 2016 Redmond Summit | Identity Without Boundaries May 26, 2016 Group Program Manager, Azure AD
Protect your data Enable your users Desktop Virtualization Information protection Mobile device & application management Identity and Access Management.
Today’s challenges Data Users Apps Devices
Identity; What you need to know to be in the Microsoft Cloud
Implementing and Managing Azure Multi-factor Authentication
Secure Connected Infrastructure
Stop Those Prying Eyes Getting to Your Data
SaaS Application Deep Dive
Azure AD for the client management guy (or gal!)
6/25/ :13 PM BRK1076 Make Windows devices more secure by taking them out of your existing infrastructure Chris Rhodes & Andrew Bettany MCTs & MVPs.
Microsoft Virtual Academy
Secure Remote Access to on-premises Web Apps using Azure AD
Office 365 Identity Management
11/15/2018 3:42 AM © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN.
Microsoft Ignite /20/2018 2:21 PM
Access and Information Protection Product Overview October 2013
SharePoint Online Hybrid – Configure Outbound Search
Five mistakes to avoid when deploying Enterprise Mobility + Security
Office 365 Identity Management
4/9/2019 5:05 AM © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS.
System Center Marketing
TechEd /6/ :24 PM © 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks.
Microsoft Virtual Academy
Preparing for the Windows 8. 1 MCSA Module 6: Securing Windows 8
Microsoft Virtual Academy
Presentation transcript:

BYOD ESSENTIALS FOR IT PROS SANDER BERKOUWER, DirTeam

Sander Berkouwer Microsoft MVP Directory Services Microsoft Virtual Technical Evangelist Blogger on DirTeam.com ServerCore.Net 4SysOps.com About

Introducing Bring Your Own (BYO) Challenges with Bring-Your-Own Solutions Web-ready authentication Rich authorization Straight-forward access Policy-based systems management Agenda

INTRODUCING BYO

51% of employees between years chooses to deliberately ignote corporate policies, applying to corporate use of privetly-owned devices, cloud storage and wearables Reality % 51% Source: Fortinet, October 22, 2013Fortinet

Bring Your Own Devices Apps InformationEmployees Devices Apps Employees Management| Access| Security Information

Bring Your Own facilitates access to organizational IT sources with devices owned by employees and other entities Bring Your Own

Bring Your Own and your existing infrastructure BYO Applications Data Corporate Non-corporate

WEB-READY AUTHENTICATION

Current protocols lack flexibility Kerberos tickets are encrypted, cannot be split Kerberos tickets only contain SIDs Active Directory trusts lack scalability After ~1200 trusts, authentication becomes terribly slow Multi-factor authentication Username, password combination is not good enough Challenges with authentication

Web-ready authentication Transport over SSL channel Optional encryption Open standards Flexible trusts Scalable loosely-coupled granular trust relationships Multi-factor authentication We need…

ACTIVE DIRECTORY FEDERATION SERVICES SOLUTION

Web-ready authentication SAML, Oauth2 are HTTPS-based and work with claims Device-agnostic authentication Relying Party trusts Fine-grained definitions, little information shared Multi-factor Authentication AD FS Authentication is extensible for 3rd parties Active Directory Federation Services

Authentication with AD FS On Premises Active Directory Domain Services Colleague Azure AD Integrated Application 7 2

Claims vs. Tokens EncryptionTransportContentsLimitsSecurity Claims in SAML Optional HTTP (TCP80) HTTPS (TCP443) Kerberos (TCP88) XML-based MaxTokenSize Ticket Lifetime, Mutual Auth, PAC Validation Claims in Kerberos Kerberos (TCP88) Authorization dataMaxTokenSize Ticket Lifetime, Mutual Auth, PAC Validation Tokens Signing, Replay Protection

AZURE ACTIVE DIRECTORY SOLUTION

Modern identity management Free REST-based web service for authentication Cloud identity management Identity and access for Azure, Office 365, etc. 100% interoperability Based on open standards, like SAML Full support for 3rd party identity providers Introducing Azure Active Directory

Authentication with Azure AD On Premises Active Directory Domain Services Colleague Directory Synchronization Tool Azure AD Integrated Application

DEMO CLAIMS AND CLAIMTYPES

AZURE MULTI-FACTOR AUTHENTICATION SOLUTION

Something someone can prove he/she knows Passwords Something someone can prove he/she is Biometric security like fingerprints, iris scans Something someone can prove he/she has Smart cards, phones Something someone does regularly Authentication factors

Smart card hardware Smart card readers never became a commodity Smart card require PKI Certificates are commonly experienced as very hard User friendliness Is a smart card actually convenient in BYOD scenarios? There are new alternatives to smart cards Challenges with auth factors

Extensible Authentication Model API in AD FS for 3rd party authentication extensions Default support for certificates on smart cards Azure Multi-Factor Authentication Recently acquired PhoneFactor technology Phone Call, Text message, App or OATH Multi-factor Auth with AD FS

DEMO CONFIGURING AZURE MFA WITH AD FS

Azure Multi-Factor Authentication On Premises Active Directory Domain Services

RICH AUTHORIZATION

Group memberships are too strict Based on a single attribute and uncontrollable fast Only AND rules allowed Token Bloat Cross-organizational access Organizations need Active Directory trust Trusts leak information both ways Challenges with authorization

Rich authorization Claims can be based on group membership, or on Any property of the user account Or occurrence of the user in the Global Addresslist (GAL) Or the location of the device used … or combinations of the above… … or external claims… Rich authorization scenarios

Claims in SAML, Oauth2 Active Directory Federation Services Available since Windows Server 2003 R2 Claims in Kerberos Dynamic Access Control Available since Windows Server 2012 * Claims in tokens and tickets

WORKPLACE JOIN SOLUTION

Single Sign-On on the intranet AD FS offers automatic Kerberos-to-claims transformation Identity 1.0 -> Identity 2.0 Single Sign-On the extranet Single Sign-On per browser session There is no Identity 1.0 on the extranet (we hope) Single Sign-On using WorkPlace Join Single Sign-on beyond the browser

Claims Employees verify devices for their account Certificates and cookies Certificate from MS-Organization-Access Cookies in the browser msDS-Devices in Active Directory Domain Services Automatically removed after 90 days of inactivity WorkPlace Join – Under the hood

DEMO WORKPLACE JOIN WITH MULTI-FACTOR AUTHENTICATION

STRAIGHT-FORWARD ACCESS

Server Message Block (SMB) Discloses Windows-based file servers Not optimized for the web Remote Procedure Call (RPC) Discloses remote Windows functionality Designed when there was no web… Challenges with accessing data

WORK FOLDERS SOLUTION

Work Folders positioning Personal data Individual business data Team and Project data Personal devices Storage back-end Onedrive SharePoint on-prem/online Onedrive for Business File Server Work Folders Public Cloud

HTTP-based file synchronization DNS Records (workfolders.domain.tld) for AutoDiscovery Windows Authentication or AD FS (OAuth2) Default device policies Password policy and device lock Customizable using Mobile Device Management (MDM) Encryption of data on device and remote functional wipe Work Folders internals

POLICY-BASED DEVICE MANAGEMENT

Systems management for multiple platforms Group Policies are Windows-only * Windows-based machines can be managed centrally Managing iPads, Android devices, Windows RT? Applications for multiple platforms Different platforms, different ecosystems, different apps Not all devices are connected to the network Challenges with systems management

INTUNE SOLUTION

Systems management with Intune On Premises Active Directory Domain Services

CONCLUDING

To facilitate access to organizational IT sources with devices owned by employees and other entities, you’ll need: Web-ready authentication Rich authorization Straight-forward access Policy-based systems management Concluding

Nagrađujemo vas sa 100 WinCoin bodova što ste posjetili predavanje. Osvojite dodatnih 100 WinCoin bodova ukoliko popunite službeni upitnik. HVALA!

MVA Successful proffessionals never stop learning. Microsoft Virtual Academy offers online Microsoft trainings led by experts to help proffessionals to upgrade their knowledge. Trainings are prepared by leading eyperts from different technology areas. After you take a training, you can test your knowledge. To better understand this session, I advise you to take following trainings: XXX1 XXX2 XXX3 Training name 1 link1 Training name 2 link1 Training name 3 link1

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.