Identity and access management 4/28/2018 Identity and access management Name Title © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Is it possible to keep up? Is it possible to stay secure? Lost device Users Data leaks Data Business partners Apps Compromised identity Customers Devices Employees Stolen credentials

Is it possible to keep up? Microsoft’s vision Users Access everything from everywhere Data Manage and secure productivity Apps Employees Business partners Customers Devices Integrate with what you have

The current reality On-premises Managed devices Active Directory 4/28/2018 The current reality EC2 On-premises Managed devices Active Directory © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Challenge: identities live in too many places Microsoft Azure Active Directory VS. HR system Windows Server Active Directory Hybrid identity User identities from multiple repositories LDAP v3 LDAP Finance Windows Server Active Directory Windows PowerShell Oracle DB Web apps Web services (SOAP, Java, REST) Generic SQL via ODBC

Microsoft’s IAM solution Spans cloud and on-premises Provides full spectrum of services Federation Identity management Device registration User provisioning Application access control Data protection Modern identity management system Third-party apps & clouds Microsoft Cloud Apps in Azure Microsoft Azure Active Directory AAD App Proxy Microsoft Identity Manager Apps on-premises The combination of Windows Server Active Directory, Microsoft Identity Manager, and Microsoft Azure Active Directory enables better security for today’s hybrid enterprise.

Identity as the core of enterprise mobility Build 2012 4/28/2018 Identity as the core of enterprise mobility Simple connection SaaS Azure Public cloud Cloud On-premises Other directories Windows Server Active Directory Self-service Single sign-on Microsoft has a solution for this [Click] Traditional identity and access management solutions providing sing-sign on to on-premises applications and directory services such as Active Directory and others are used from the vast majority of organizations and huge investments were made to deploy and maintain them. These solutions are perfect for the on-premises world. [Click] Now, as we have discussed, there are new pressing requirements to provide the same experience to cloud applications hosted in any public cloud. [Click] Azure Active Directory can be the solution to this new challenge by extending the reach of on-premises identities to the cloud in a secure and efficient way. [Click] In order to do that, one simple connection is needed from on-premises directories to Azure AD. [Click] and everything else will be handled by Azure AD. Secure single sign-on to thousands of SaaS applications hosted in any cloud by using the same credentials that exist on-premises [Click] And we don’t forget the users. Azure AD provides Self-service capabilities and easy access to all the application, consumer or business, they need. in the cloud but on-premises too (Application Proxy) Microsoft Azure Active Directory

Azure Active Directory Microsoft Confidential NDA Only 4/28/2018 Azure Active Directory 86% of Fortune 500 companies use Microsoft Cloud (Azure, O365, CRM Online, and PowerBI) Azure AD Directories >7 M More than 550 M user accounts on Azure AD Microsoft’s “Identity Management as a Service (IDaaS)” for organizations. Millions of independent identity systems controlled by enterprise and government “tenants.” Information is owned and used by the controlling organization—not by Microsoft. Born-as-a-cloud directory for Office 365. Extended to manage across many clouds. Evolved to manage an organization’s relationships with its customers/citizens and partners (B2C and B2B). 1 trillion Azure AD authentications since the release of the service >35k third-party applications used with Azure AD each month >1.3 billion authentications every day on Azure AD Every Office 365 and Microsoft Azure customer uses Azure Active Directory © 2015 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Azure Active Directory scenarios Windows Server Management Marketing 4/28/2018 Azure Active Directory scenarios 1000s of apps, 1 identity Making the lives of users (and IT) easier Managing identities Collaborating with partners Enabling anytime/anywhere productivity Identity-driven security Connecting with consumers Your domain controller as a service © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Making a hybrid identity simple 4/28/2018 YOUR DIRECTORY ON THE CLOUD Making a hybrid identity simple Azure Active Directory Connect Azure Active Directory Connect DirSync Consolidated deployment assistant for your identity bridge components. All currently available sync engines will be replaced by the sync engine included in the Connect tool. Assisted deployment of ADFS will be available through Azure Active Directory Connect. ADFS is an optional component for authentication in hybrid implementation. Password sync can replace ADFS for more scenarios. Azure Active Directory Sync Sync engine FIM+Azure Active Directory Connector ADFS ADFS © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Delivering a seamless user-authentication experience 4/28/2018 EMPOWER USERS Delivering a seamless user-authentication experience Microsoft Azure Active Directory User attributes are synchronized using identity synchronization services, including a password hash; authentication is completed against Azure Active Directory Identity synchronization with password (hash) sync Microsoft Azure User attributes are synchronized using identity synchronization tools; authentication is passed back through federation and completed against Windows Server Active Directory Identity synchronization ADFS © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Windows Server Management Marketing 4/28/2018 1000s of apps, 1 identity HR apps Connect and sync on-premises directories with Azure MIM * Azure Active Directory Connect and Connect Health * Microsoft Azure Active Directory PowerShell SQL (ODBC) LDAP v3 Web Services ( SOAP, JAVA, REST) OTHER DIRECTORIES © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Windows Server Management Marketing 4/28/2018 1000s of apps, 1 identity Microsoft Azure OTHER DIRECTORIES 2500+ pre-integrated popular SaaS apps and self-service integration via templates Connect and sync on-premises directories with Azure Easily publish on-premises web apps via Application Proxy + custom apps Web apps (Azure Active Directory Application Proxy) Integrated custom apps SaaS apps © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Making the lives of users (and IT) easier Windows Server Management Marketing 4/28/2018 Making the lives of users (and IT) easier Company-branded, personalized application Access Panel: http://myapps.microsoft.com + Mobile Apps Manage your account, apps, and groups Self-service password reset Application access requests © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Making the lives of users (and IT) easier MyApps integration with Office 365

Windows Server Management Marketing 4/28/2018 Managing identities Comprehensive identity and access management console Centralized access administration for pre-integrated SaaS apps and other cloud-based apps SaaS apps Dynamic groups, device registration, secure business processes with advanced access management capabilities IT professional © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Collaborating with partners: B2B collaboration 4/28/2018 12:26 PM MANAGE EVERYTHING Collaborating with partners: B2B collaboration Share without complex configuration or duplicate users Partners use their own credentials to access your org Users lose access when leaving the partner org No external directories No per partner federation You manage access You control partner access in your directory: app assignment group membership custom attributes Partners of all sizes Bulk invite 1000s at a time Partners with Azure Active Directory sign in to accept invite Other partners simply sign up to accept invite “We needed to quickly and cost effectively stand up new IT infrastructure, including extranet applications for thousands of business partners. Azure Active Directory B2B collaboration provides a simple and secure way for partners, large and small, to use their own credentials to access Kodak Alaris systems.” 3000+ partners © 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Connecting with consumers: Azure Active Directory B2C Consumer identity and access management in the cloud Cross-platform Identity management for consumers Superior economics Identity experience engine Web site : http://www.azure.com/azuread-b2c Vision video : aka.ms/aadb2cvideo Pricing page:  http://azure.microsoft.com/pricing/details/active-directory-b2c/ Trial page: http://azure.microsoft.com/trial/get-started-aad-b2c/ Documentation http://azure.microsoft.com/documentation/services/active-directory-b2c/ Other videos : https://channel9.msdn.com/Series/Azure-Active-Directory-Videos-Demos?sort=recent There is a dedicated deck to B2C on infopedia “By using Azure Active Directory B2C we were able to build a fully customized login page without having to build custom code. Additionally, with a Microsoft solution in place, we alleviated all our concerns about security, data breaches, and scalability." - Rafael de los Santos, Head of Digital, Real Madrid

Azure Active Directory Application Proxy 4/28/2018 12:26 PM YOUR DIRECTORY ON THE CLOUD Azure Active Directory Application Proxy Microsoft Azure Active Directory A connector that auto-connects to the cloud service https://app1-contoso.msappproxy.net/ Application Proxy Multiple connectors can be deployed for redundancy, scale, multiple sites, and different resources Connectors are deployed usually on corpnet next to resources DMZ Users connect to the cloud service that routes their traffic to resources via the connectors Corporate network Connector Connector http://app1 Resource Resource Resource © 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Achieve simple and secure partner access 4/28/2018 12:26 PM MANAGE EVERYTHING Achieve simple and secure partner access Partners use their own credentials to access your org Users lose access when they leave the partner org No external directories No per-partner federation Partners manage their own credentials You control partner access in your directory: app assignment group membership custom attributes Organizations manage access Thousands of bulk invites at a time Partners with Azure Active Directory sign in to accept invite Other partners simply sign up to accept invite Partners of all sizes VALUE PROPOSITION Simple and secure partner access Partner managed identities Customer managed access All partners large and small And by apps I mean: SaaS apps (Office 365, Salesforce, Box) On-premises apps (claims aware only for preview) Mobile or cloud apps 1. Bulk invite 1000’s of users at a time 2. Bulk add invited users to groups and applications 3. Partner managed credentials to access your resources 4. Email verified sign up for Azure AD accounts © 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Reveal shadow IT Microsoft Azure Active Directory MONITOR AND PROTECT Reveal shadow IT Source: Help Net Security 2014 as many Cloud apps are in use than IT estimates Discover all SaaS apps in use within your organization Microsoft Azure Active Directory Cloud app discovery Comprehensive reporting SaaS app category Number of users Utilization volume

Privileged identity management MONITOR AND PROTECT Privileged identity management Discover, restrict, and monitor privileged identities and their access to resources Enforce on-demand, just-in-time administrative access when needed Security Wizard Alerts Security reviews

Rich standards-based platform for developers 4/28/2018 12:26 PM EMPOWER USERS Rich standards-based platform for developers Custom LOB applications can integrate with Azure Active Directory Sign in to Active Directory-integrated applications with cloud identities Active Directory-integrated applications can access Office 365 and other web APIs Applications can extend Azure Active Directory schema Cross-platform support (iOS, Android, and Windows) Open standards (SAML, OAuth 2.0, OpenID Connect, Odata 3.0) SCIM OAuth2 and OpenID Connect SAML WS-Federation REST-based graph API Microsoft Azure Active Directory © 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Monitor and protect access to enterprise apps Windows Server Management Marketing 4/28/2018 MONITOR AND PROTECT Monitor and protect access to enterprise apps XXXXX XXXXX Built-in security features Security reporting that tracks inconsistent access patterns, analytics, and alerts Reporting API XXXXX Step up to Multi-Factor Authentication © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Azure Active Directory Identity Protection MONITOR AND PROTECT Azure Active Directory Identity Protection Public Preview Protect your organization from compromised accounts, identity attacks, and configuration issues. Identity Protection provides a consolidated view into identity threats and vulnerabilities. Be notified of and understand risk, perform recommended remediation, and automate future responses with Risk-based Conditional Access policies. Using Azure AD Identity Protection, you are able to:  ·         Get a consolidated view to examine suspicious user activities that have been detected real-time with the use of machine learning algorithms on signals like brute force attacks, leaked credentials, and sign ins from unfamiliar locations. ·         Use remediation recommendations on a list of configuration vulnerabilities that could lead to an elevated risk of user compromise. ·         Set risk-based policies to automatically protect the identities of your organization.  Notification, analysis, remediation, and policy configuration Notification, analysis, remediation, and policy configuration Based on existing and new signals, Azure AD machine learning and user behavioral analysis · User at risk of compromise; • Sufficient indicators credentials are in control for someone (leaked, multi geo, spam etc) The signal quality is better, less fault positive · Risky login events; Real time analysis for logins, Anomaly in the location, the network, TOR Bringing experience from MSA · Unused admin accounts/excessive admin privilege • Many global admins · Add vulnerability vectors

What is Azure Multi-Factor Authentication? MONITOR AND PROTECT What is Azure Multi-Factor Authentication? A standalone Azure identity and access management service, also included in Azure Active Directory Premium Prevents unauthorized access to both on-premises and cloud applications by providing an additional level of authentication Trusted by thousands of enterprises to authenticate employee, customer, and partner access

How it works Mobile apps Phone calls Text messages MONITOR AND PROTECT Benefit slide – conceptual illustration or icons? Icons will lead in nicely to the following slide which is the technical diagram for ATA Recommending that we use short benefit taglines here, supported by features/capabilities Include chapter breadcrumb

Windows Server Active Directory or other LDAP 4/28/2018 MONITOR AND PROTECT Users sign in from any device using their existing username/password. User Users must also authenticate using their phone or mobile device before access is granted 1 2 On-premises apps RADIUS LDAP IIS RDS/VDI .NET, Java, PHP… Microsoft Azure Active Directory SAML Cloud apps Multi-factor authentication server Multi-factor authentication server Windows Server Active Directory or other LDAP © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Azure MFA vs. MFA for Office 365 Build 2012 4/28/2018 MONITOR AND PROTECT Azure MFA vs. MFA for Office 365 MFA for Office 365/Azure Administrators Azure Multi-Factor Authentication Administrators can enable/enforce MFA to end users Yes Use mobile app (online and OTP) as second authentication factor Use phone call as second authentication factor Use SMS as second authentication factor Application passwords for non-browser clients (e.g., Outlook, Lync) Default Microsoft greetings during authentication phone calls Suspend MFA from known devices Custom greetings during authentication phone calls Fraud alert MFA SDK Security reports MFA for on-premises applications/ MFA server One-time bypass Block/Unblock users Customizable caller ID for authentication phone calls Event confirmation Trusted IPs © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Application access policies 4/28/2018 12:26 PM MONITOR AND PROTECT Application access policies Actions Allow access Conditions Cloud apps Location (IP range) Device state User User group Enforce MFA per user/per app On-premises Block access © 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Windows 10 Azure AD joined devices Enabling anytime, anywhere productivity: Azure Active Directory Join for Windows 10 Apps in Azure Third-party apps & clouds Azure Active Directory Join makes it possible to connect work-owned Windows 10 devices to your company’s Azure Active Directory Azure Active Directory Enterprise-compliant services SSO from the desktop to cloud and on-premises applications with no VPN Intune/MDM auto-enrollment MS is the only completely believes that the largest enterprises will be in this hybrid states MDM auto-enrollment Support for hybrid environments Windows 10 Azure AD joined devices On-premises apps

Identity-driven security: conditional access USER ATTRIBUTES User identity Group memberships Authentication strength DEVICES Are domain joined Are compliant Platform type (Windows, iOS, Android) Allow Enforce MFA Block APPLICATION Per app policy Type of client (Web Rich, mobile) OTHER Location (IP Range) Risk Profile On-premises applications

Identity-driven security 4/28/2018 12:26 PM MONITOR AND PROTECT Identity-driven security Actions User Allow access Conditions Cloud apps Location (IP range) Device state User group MFA Enforce MFA per user/per app Risk On-premises Block access NOTIFICATIONS, ANALYSIS, REMEDIATION, RISK-BASED POLICIES CLOUD APP DISCOVERY PRIVILEGED IDENTITY MANAGEMENT IDENTITY PROTECTION © 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Identity-driven security 4/28/2018 12:26 PM MONITOR AND PROTECT Identity-driven security IDENTITY PROTECTION NOTIFICATIONS, ANALYSIS, REMEDIATION , RISK-BASED POLICIES CLOUD APP DISCOVERY PRIVILEGED IDENTITY MANAGEMENT © 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Azure Active Directory Domain Services 4/28/2018 MANAGE EVERYTHING Azure Active Directory Domain Services Your domain controller as a service Azure Lift-and-shift on-premises apps to Azure IaaS Your virtual network Azure AD Domain Services Azure AD Connect Kerberos NTLM LDAP Group Policy Windows Server Active Directory Your Azure IaaS workloads/apps Azure Active Directory On-premises © 2015 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Identity as the core of enterprise mobility Build 2012 4/28/2018 Identity as the core of enterprise mobility Simple connection Windows Server Active Directory Self-service Single sign-on Other directories Microsoft has a solution for this [Click] Traditional identity and access management solutions providing sing-sign on to on-premises applications and directory services such as Active Directory and others are used from the vast majority of organizations and huge investments were made to deploy and maintain them. These solutions are perfect for the on-premises world. [Click] Now, as we have discussed, there are new pressing requirements to provide the same experience to cloud applications hosted in any public cloud. [Click] Azure Active Directory can be the solution to this new challenge by extending the reach of on-premises identities to the cloud in a secure and efficient way. [Click] In order to do that, one simple connection is needed from on-premises directories to Azure AD. [Click] and everything else will be handled by Azure AD. Secure single sign-on to thousands of SaaS applications hosted in any cloud by using the same credentials that exist on-premises [Click] And we don’t forget the users. Azure AD provides Self-service capabilities and easy access to all the application, consumer or business, they need. in the cloud but on-premises too (Application Proxy) Microsoft Azure Active Directory SaaS Azure Public cloud On-premises Cloud

Azure Active Directory editions GA feature comparison + Office 365 IAM features Build 2012 4/28/2018 Azure Active Directory Free Azure Active Directory Basic Azure Active Directory Premium Office 365 apps only Common features Directory as a service 500,000 object limit No object limit No object limit for Office 365 user accounts User/group management (add/update/delete)/user-based provisioning, device registration Yes Singe Sign On 10 apps per user (pre-integrated SaaS and developer-integrated apps) 10 apps per user(free tier + Application proxy apps) No limit (free, Basic tiers +Self-Service App Integration templates 1) User-based access management/provisioning Self-service password change for cloud users Connect (sync engine that extends on-premises directories to Azure Active Directory) Security reports/audit 3 basic reports Advanced security reports Premium+ basic features Group-based access management/provisioning Self-service password reset for cloud users Company branding (logon pages/access panel customization) Application Proxy SLA Premium features Self-Service Group and app Management/Self-Service application additions/ Dynamic Groups Self-service password reset/change/account unlock with on-premises write-back Advanced usage reporting Multi-factor authentication (cloud and on-premises (MFA server)) Limited cloud only for Office 365 apps MIM CAL + MIM server Cloud app discovery Automated password rollover Connect Health 1: Self Service integration of any application supporting SAML, SCIM, or forms-based authentication by using templates provided in the application gallery menu. For more details, please read this article https://azure.microsoft.com/en-us/documentation/articles/active-directory-saas-custom-apps/ Azure Active Directory Join – Windows 10 only related features Join a device to Azure AD, Desktop SSO, Microsoft Passport for Azure AD, Administrator Bitlocker recovery Yes MDM auto-enrolment, Self-Service Bitlocker recovery, Additional local administrators to Windows 10 devices via Azure AD Join © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

4/28/2018 12:26 PM © 2016 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION. © 2010 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Microsoft Identity Manager Use these slides to support the on premise Identity message if it is determined the customer is interested or has a use case that requires MIM.

Introducing Microsoft Identity Manager 2016 MANAGE EVERYTHING Introducing Microsoft Identity Manager 2016 Cloud-ready identities Powerful user self-service Enhanced security Automatic preparation of Active Directory identities for synchronization with Azure Active Directory Password reset with Azure Multi- Factor Authentication Dynamic groups with approvals and redesigned certificate management Hybrid reporting and privileged access management to protect administrator accounts Support for new security protocols

Microsoft Identity Manager 2016 features MANAGE EVERYTHING Microsoft Identity Manager 2016 features Cloud-ready identities Powerful user self-service Enhanced security Standardized Active Directory attributes and values Partitioned identities for synchronization to the cloud Easier-to-deploy reporting connected to Azure Active Directory Preparation of user profiles for Microsoft Office 365 Self-service password reset with Multi- Factor Authentication New REST-based APIs for AuthN/AuthZ Self-service account unlock Certificate management support for multi- forest and modern apps Privileged user and account discovery New Windows PowerShell support and REST-based API Workflow management: elevated just-in- time administrator access Reporting and auditing specific to privileged access management

Microsoft Identity Manager 2016 MANAGE EVERYTHING IAM evolution Microsoft Identity Manager 2016 ON-PREMISES HYBRID CLOUD Event - Mobility Event-Win 8.x/10 Managed: Microsoft System Center Configuration Manager On-premises LOB applications, traditional productivity iOS, Android, Windows Phone, BYOD Mobile apps, shadow IT SaaS solutions Managed: Microsoft Intune connected to System Center Configuration Manager On-premises LOB applications, managed SaaS, Office 365 hybrid deployment, Azure Active Directory implementation Deployment of cloud-enabled rich clients Managed cloud identities with Multi-Factor Authentication Managed by EMS: Combination of mobile clients (iOS, Android) and cloud-enabled clients (Windows 10) Managed SaaS and Office 365 Enterprise, full Azure IAM

Architecture: hybrid identity with MIM MANAGE EVERYTHING Architecture: hybrid identity with MIM Microsoft Azure Active Directory IAM Azure AD Connect Microsoft Azure MIM Azure AD App Proxy Microsoft Identity Manager 2016 On-premises applications

Scenario: self-service password reset Cloud User’s identity User IT Username ••••••••••••• ? Forgot your password? Self-service experiences On-premises applications

Microsoft Identity Manager 2016 Scenario: collapse multi-forest Active Directory into one Active Directory Microsoft Identity Manager 2016 Collapse directories Map multiple identities Transform usernames and other attributes

Scenario: implement privileged access management User Privileged access management Access requests Access requests Microsoft Identity Manager Configured for PAM Existing apps Existing trust Group: Resource Admins Domain: CORP Candidate: Jen Existing AD forests WS 2003 or later AD DS Existing FIM Trust for admin access Time-based memberships User “JenAdmin” User: PRIV\JenAdmin Groups: CORP\Resource Admins Refresh after: 60 minutes Group “Resource Admins”

Deep dive: DirSync, Azure AD, and MIM Sync 4/28/2018 Deep dive: DirSync, Azure AD, and MIM Sync Earlier Today Future DirSync Azure Active Directory Sync FIM Sync (+ Azure Active Directory Connector) Azure Active Directory Connect MIM Sync (+ Azure Active Directory Connector) Azure Active Directory Connect © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Deep dive: migrate to Azure Active Directory Microsoft Azure Active Directory Azure Active Directory Connect Connect and sync on- premises directories with Azure Other directories PowerShell LDAP v3 SQL (ODBC) Web services (SOAP, Java, REST)

Deep dive: IAM in MIM vs. Azure Active Directory Microsoft Identity Manager Password reset/management YES Group management YES, not dynamic Provisioning, deprovisioning NO Certificate management Role-based access control