Users expect to be able to work in any location and have access to all their work resources. The explosion of devices has eradicated the standards- based approach to corporate IT. Deploying and managing apps across personal and organization-owned devices is difficult. UsersDevicesAppsData Enabling users to be productive while maintaining compliance and reducing risk.
Empower users Allow people to work on the device of their choice and provide consistent access to corporate resources. Unify your environment Deliver a unified application and device management on-premise and in the cloud. Protect your data Help protect corporate information and manage risk. Users Devices Apps Data Management. Access. Protection.
IT Admin Allow only users on ‘known devices’ to access the payroll application. Always require them to authenticate afresh. Allow users to access our SharePoint portal from the extranet, only if they have performed MFA Allow users from the Finance department to access our Payroll application. Require them to perform MFA and use ‘known devices’ for extranet access.
Module 1: Managing Identity Enterprise Device Infrastructure Camp Dan Stolts Chief Technology Strategist Microsoft
Corporate Identity Comes from Many Sources HR System LDAP Exchange Database title Coordinator givenName surname employeeID Samantha Dearing 007 givenName surname title employeeID telephone Samantha Dearing 007 Coordinator Identity attributes are often located in multiple repositories Forefront Identity Manager creates a compilation of these attributes with validation and keeps this in sync with all identity realms LDAP v3 PowerShell SQL (ODBC) Web Services (SOAP, JAVA, REST)
?
Identity: Cloud, Sync or Federated? Cloud identity provides a solution where all identity resides in the cloud Federated identity allows customers to retain all authentication on-premises Identity sync enables customers to bridge their existing identity into the cloud B2B federated identity allows customers to securely share and collaborate with each other
Common Identity with Sync and Federation User attributes are synchronized including the password hash, Authentication can be completed against either Azure or Windows Server Active Directory User attributes are synchronized, Authentication is passed back through federation and completed against Windows Server Active Directory Synchronization Federation AD FS provides conditional access to resources, Work Place Join for device registration and integrated Multi-Factor Authentication *Write back of attributes to support cloud first and co- existence *Coming Soon
*Direct to cloud identity sync Azure Active Directory Sync provides the ability to sync disparate on- premises identity repositories directly to Azure Active Directory LDAP v3 PowerShell SQL (ODBC) Web Services (SOAP, JAVA, REST) *Coming Soon
23 Users can access corporate apps and data wherever they are. IT can use the Web Application Proxy to authenticate users and devices with Multi-Factor Authentication Use conditional access for granular control over how and where the app can be accessed. Active Directory provides the central repository of user identity as well as device registration information. Developers can leverage Microsoft Azure Mobile Services to integrate and enhance their apps. Devices Apps and data Published apps Active Directory integrated Organizations can federate with partners and other organizations for seamless access to shared resources
Example Workload: Single sign-on to Office 365 and Microsoft Intune Cloud Identity A user with a cloud only identity can sign in to Office 365 and Microsoft Intune using their Azure Active Directory credentials When an Active Directory user logs on, their synchronized credentials are used to authenticate against Azure Active Directory Directory Sync When an Active Directory user logs on, the authentication is passed back and validated against Windows Server Active Directory Federated Identity
A stand-alone Azure Identity and Access management service also included in Azure Active Directory Premium Prevents unauthorized access to both on-premises and cloud applications by providing an additional level of authentication Trusted by thousands of enterprises to authenticate employee, customer, and partner access.
MFA for Office 365/Azure Administrators Azure Multi-Factor Authentication Administrators can Enable/Enforce MFA to end-users Use Mobile app (online and OTP) as second authentication factor Use Phone call as second authentication factor Use SMS as second authentication factor Application passwords for non-browser clients (e.g. Outlook, Lync) Default Microsoft greetings during authentication phone calls Custom greetings during authentication phone calls Fraud alert MFA SDK Security Reports MFA for on-premises applications/ MFA Server. One-Time Bypass Block/Unblock Users Customizable caller ID for authentication phone calls Event Confirmation
Self-service experiences on-premises Self-service group management, including dynamic membership calculation in these groups and distribution lists, based on the user’s attributes. Users can reset their passwords significantly reducing help desk burden and costs. Users can edit their profile details to update and add missing information All changes and updates are workflow and policy driven with approval routing as appropriate Users can onboard new users and contractors into their teams and provide access to required resources
Self-service experiences in the cloud Self Service Password change and reset for cloud users Users can easily access the SaaS apps they need, using their existing Active Directory credentials. Leverage existing investments in Active Directory for a single set of user credentials Users can edit their profile details to update and add missing information Users can manage access requests through self-service group management
Active Directory Unknown Domain Joined Start No controlPartial controlFull control Organization End-user No accessPartial access SSO Full access
Lightweight registration process for personal devices Enables access to data when using a registered, trusted device; leverages the user and device identities together Used with Dynamic Access Control in Windows Server 2012 R2 Primarily a security capability, potentially combined with MDM for manageability Workplace Join & Device Registration Service
Device authentication Establishes an identity for the device Seamless for the end-user: Done using client TLS, handled by the device OS platform, transparent to user. Compound identity Provides second factor authentication Validates device identity – resources can be restricted to prevent access from unknown devices. Start AD FS Apps Irwin is authenticated Irwin’s device is authenticated Irwin on his Workplace Joined device Start AD FS Apps Irwin is authenticated Irwin on an unknown device
Start Active Directory Start DRS – Device Registration Service 1 2 Supported platforms Windows 8.1+ iOS 6+ Android – Samsung KNOX Windows 7 Pro (domain-joined)
Start ClientHello CertificateRequest - request device certificate for mutual authentication Client certificate ClientKeyExchange CertificateVerify ChangeCipherSpec Finished Issue TLS challenge to client for device cert. Verify proof of possession of device cert. ADFS Device authentication Validate device certificate in AD Check user registered device. Lost/stolen device protection Present device cert (public key) to server. Prove possession of device cert. (sign handshake messages with private key of device cert.)
Workplace Join using the Azure AD Device Registration Service (Azure DRS) Enables end-users to join their BYOD devices to the workplace Recommended for customers who have hybrid deployments (resources across on-premises & the cloud). No need to deploy DRS on-premises Device objects need to be synchronized to on-premises directory using DirSync to enable conditional access control on-premises Start Azure DRS Azure AD Start Authenticate user Register device Create device object in AD, associate user with device Device registered, install device certificate
LAB: Workplace Join (LAB4 during lunch) complete the tasks in the Before you begin section of E202B before attempting LAB
Connections HomeGroup Proxy Radio devices Workplace Network Join your workplace network so that you can use network resources like internal websites and business apps. Apps and services from IT Workplace Enter your user ID to get workplace access or turn on device management Join Turn on
Connections HomeGroup Proxy Radio devices Workplace Network Workplace Device not joined to Workplace Join Cancel Sign in User name Password Sign in with a certificate Connecting to a service
Workplace Connections HomeGroup Proxy Radio devices Workplace Network Enter your user ID to get workplace access or turn on device management. This device has joined your workplace network Your organization’s device management system lets your IT admin set up apps and network connections for you. Leave Turn on Cancel Turn on Get apps and services from IT I agree to the Terms of Use Some workplaces have policies, certificates, and apps that help you connect your device to business info. If you connect your PC, your workplace can apply settings, collect basic information, and install or remove apps they manage. Talk with your IT admin to learn more about your specific workplace.
Authentication Authorization User authentication Device authentication Additional authentication Access token Access denied Primary Authentication
Workplace Join for Windows 7
Lab 5 (complete “Before you begin”) Workplace Join on Windows 7
49 Users and devices can be authenticated at the edge, prior to being granted access to the corporate environment. Apps that are not claims-aware, such as NTLM and Basic authentication-based apps, can be published with pass-through, with no preauthentication performed.
50 Apps are configured with per- application publishing settings.
Scenario: SharePoint with conditional access & MFA Users can connect to a published on-premises SharePoint server that has been integrated with AD FS. Through conditional access policies we can enforce additional authentication and authorization requirements, such as device registration. With integrated MFA, AD FS facilitates the device registration process and allows the user to continue and gain access to the SharePoint site.
Surface & IPad
How to access the labs: IME3065 Navigate to: On the portal landing page, select Login with Microsoft Account, as shown below (This is your LiveID) Your attendee lab access event code is : IME3065 Launch Lab Next to session you would like to do
Next steps Download evaluation software Download free Microsoft software trials today at the TechNet Evaluation Center. Learn more Boost your technical skills with free expert-led technical training on Windows 8 from Microsoft Virtual Academy. Get certified Get hired, get recognized, and get ahead with the MCSA Windows 8 certifications from Microsoft. Evaluate online Test Microsoft’s newest products and technologies in a virtual environment for free at the Microsoft Virtual Labs.