11/15/2018 3:42 AM © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
11/15/2018 3:42 AM Secure access to Office 365/Azure Active Directory with new features in AD FS in Windows Server 2019 and Azure AD password protection BRK3226 Anand Yadav © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Choosing the right sign-in
Choosing the right sign-in Password hash synchronization (PHS) Pass- through Authentication (PTA) Active Directory Federation Service (AD FS) Authentication in cloud Password hash is synced to Azure Username + Password WIA with Seamless SSO Authentication in cloud + on-premises agent Username + Password WIA with Seamless SSO On-premises authentication Username + Password, WIA, samAccountName, Certificate, Smart-Card
Users actively use AD FS to sign-in to Azure 71+million Users actively use AD FS to sign-in to Azure
High availability hybrid auth in Azure
On-premises only AD FS On-premises AD FS + WAP User On-premises AD FS Infrastructure
On-premises only AD FS On-premises AD FS + WAP User On-premises AD FS Infrastructure
AD FS in Azure On-premises Azure https://aka.ms/AdfsInAzure 11/15/2018 3:42 AM AD FS in Azure VPN / Express Route On-premises Azure AD FS + WAP AD FS + WAP AD FS + WAP On-premises AD FS Infrastructure Azure Traffic Manager AD FS Infrastructure https://aka.ms/AdfsInAzure © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Securing organizational resources
Securing organizational resources Operations Admin access Users MFA Privileged Access Workstations Privileged Identity Management Extranet lockout / Extranet Smart lockout MFA for external access Stronger passwords Connect Health Audit logs Lock-down network
Demo: Extranet Smart Lockout – More secure more productive
Stay ahead with Connect Health for AD FS
360º view of your sign-ins on-premises Continuous infrastructure health monitoring Critical alerts email notifications Application usage analytics Performance trend analysis Bad password attempts report Risky-IP report
Risky IP Report
Strong passwords with Azure AD password protection
The threats are real, global, and target all of us 1.29 Billion Authentications blocked in August 2018
81% of data breaches involved weak, default, or stolen passwords 11/15/2018 3:42 AM 81% of data breaches involved weak, default, or stolen passwords © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Common Passwords Attempted in Password Spray Attacks Spring 2018 Summer September 1234 Winter Football Your Company Name
Azure AD Password Protection Power of Azure – in cloud and on-premises Powered by Azure Intelligence from monitoring billions of authentication attempts every day Custom list Define custom list of weak strings for your organization Protect users on-premises Simple deployment on-premises to leverage the Azure logic and ensure stronger passwords
52% As high as weak passwords were found and blocked by Azure AD Password Protection
Under the hood Password change Normalization Strength check Allowed / Blocked All password change or reset events are processed by Azure AD Password Protection Normalize the passwords for general transformations, like ‘0’ for ‘O’ and ‘!’ for an ‘i’ Password strings are checked to ensure they have enough score to be considered as a strong password Based on the normalization and strength check, password is allowed / blocked
Locked down network access Audit Mode No internet Internet connectivity DC + DC Agent Server + Proxy Agent Azure DC + DC Agent
Locked down network access Enforced No internet Internet connectivity DC + DC Agent Server + Proxy Agent Azure DC + DC Agent
Demo Stronger passwords with Azure AD password protection
Azure AD Password Protection Cloud intelligence to ensure strong passwords Dynamic banning of passwords based on known bad patterns and those you define. Built for hybrid environments. Built for secure no-internet zone domain controllers Unified admin experience for on-premises and cloud. Support for multi-forest environment High availability architecture
Please evaluate this session Your feedback is important to us! 11/15/2018 3:42 AM Please evaluate this session Your feedback is important to us! Please evaluate this session through MyEvaluations on the mobile app or website. Download the app: https://aka.ms/ignite.mobileApp Go to the website: https://myignite.techcommunity.microsoft.com/evaluations © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
11/15/2018 3:42 AM © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.