Presentation is loading. Please wait.

Presentation is loading. Please wait.

Microsoft 2016 2/5/2018 11:42 AM BRK3107 Connect your on-premises directories to Azure AD and use one identity for all your apps Girish Chander Andreas.

Published byLucinda Marsh Modified over 7 years ago

Similar presentations

Presentation on theme: "Microsoft 2016 2/5/2018 11:42 AM BRK3107 Connect your on-premises directories to Azure AD and use one identity for all your apps Girish Chander Andreas."— Presentation transcript:

1 Microsoft 2016 2/5/ :42 AM BRK3107 Connect your on-premises directories to Azure AD and use one identity for all your apps Girish Chander Andreas Kjellman Ross Adams Principal PM mgr Sr Program Manager Sr Program Manager © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

2 Microsoft Azure Active Directory and Hybrid identity
Girish Chander

3 Identity as the core of enterprise mobility
Build 2012 2/5/2018 Identity as the core of enterprise mobility Simple connection SaaS Azure Public cloud Cloud On-premises Other directories Windows Server Active Directory Self-service Single sign-on Microsoft Azure Active Directory

4 Azure Active Directory
Microsoft Confidential NDA Only 2/5/2018 Azure Active Directory 86% of Fortune 500 companies use Microsoft Cloud (Azure, O365, CRM Online, and PowerBI) Azure AD Directories >9 M More than 600 M user accounts on Azure AD Microsoft “Identity Management as a Service (IDaaS)” for organizations. Millions of independent identity systems controlled by enterprise and government “tenants.” Information is owned and used by the controlling organization—not by Microsoft. Born-as-a-cloud directory for Office 365. Extended to manage across many clouds. Evolved to manage an organization’s relationships with its customers/citizens and partners (B2C and B2B). 33,000 Enterprise Mobility + Security | Azure AD Premium enterprise customers >80k third-party applications used with Azure AD each month >1.3 billion authentications every day on Azure AD Every Office 365 and Microsoft Azure customer uses Azure Active Directory © 2015 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

5 Identity and access management in the cloud
Azure Active Directory. Identity at the core of your business Cloud-powered protection Enable business without borders Manage access at scale 1000s of apps, 1 identity Provide one persona to the workforce for SSO to 1000s of cloud and on-premises apps Stay productive with universal access to every app and collaboration capability Manage identities and access at scale in the cloud and on-premises Ensure user and admin accountability with better security and governance

6 Customer Stories Transportation, Logistics, Oil-Gas
Retail, Hospitality and Travel Government, Banking, Insurance Construction, Professional Services Education – Nonprofit Health

7 What is Azure AD Connect?
Primary tool to onboard to Azure AD Express Settings gets customers connected in a matter of minutes Provides install & configuration of password sync/ADFS for sign-in All future investments will only be available with Azure AD Connect Azure AD Connect DirSync Azure AD Sync Sync FIM + Azure AD Connector ADFS Health ADFS

8 Old Sync clients - Dirsync and Azure AD Sync
TechReady 23 2/5/ :42 AM Old Sync clients - Dirsync and Azure AD Sync Marked deprecated as of Apr 2016 Will not be supported as of Apr 2017 Notifications in Office message center and through Azure notification s No improvements being made to these clients Other reasons to move to Azure AD Connect anyways Faster sync cycles, better monitoring, more feature rich. © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

9 Sync by the numbers We have ~115K Sync’ing customers
Azure AD Connect is now the largest client

10 Upgrade paths DirSync Azure AD Sync The numbers Now is the time
In-place migration of all supported custom configurations Side by Side for > 50K objects Will not migrate unsupported configurations (such as removed attribute flows) Azure AD Sync In-place upgrade or Swing migration if needed The numbers Over 2700 customers upgrade last month, with 95%+ using an in-place upgrade process Now is the time

11 Azure AD Connect and Windows 10 devices
Forward sync Syncs domain DNS name and samaccountname of users to support SSO to Kerb apps from Azure AD joined devices Syncs Computer Accounts for enhanced Domain Join functionality. Requires certificate attribute on computer account is populated Handled by default and no additional configuration required Writeback Microsoft Passport Credentials for login to AD DS and ADFS in WS2016 (TP4 or higher)

12 Azure AD Connect and Writeback
Password Writeback Pairs with one of the most popular features of Azure AD Premium (SSPR) Ability to reset passwords on-prem (password sync and federation supported) Group Writeback Office 365 groups written back as DGs Improves productivity in Hybrid scenarios Device Writeback Supports ability to do conditional access in ADFS based on registered devices Exchange Hybrid Writeback

13 Vereniging Natuurmonumenten
Microsoft 2016 2/5/ :42 AM Vereniging Natuurmonumenten “We also use the Azure AD Connect service with Active Directory Federation Services so we can manage identities and access for all of our cloud services including Office 365 using one solution—and give our employees single sign-on to all their applications from any location.” - Sergei Rik, Lead Cloud Architect Transforming how people work with anytime, anywhere access to applications © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

14 Details on components Andreas Kjellman

15 Hybrid identity components
2/5/2018 Hybrid identity components Identity Bridge On-premises Azure AD Connect Salesforce Box DropBox Google AD DS Office 365 Your apps FIM/MIM Sync AD FS (optional) Sync engine Health © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

16 Designed for you agile and complex org
Start with a small pilot and grow as needed Add and remove forests when needed Allows documented customizations Extend Azure AD schema with directory extensions Have a spare server (staging server) for rapid recovery

17 Cliffhanger from Ignite 2015…
Roadmap Sync Engine support Additional connected systems Azure AD Health for sync More robustness for bad data …and more frequent releases…

18 Recent Improvements Faster sync cycle Auto-upgrade
30 mins is the default sync cycle Can be increased using a PowerShell cmdlet Auto-upgrade No more manual updates of Azure AD Connect. Eligibility: Need to be on version 1.1 or higher Express installs only No customizations of sync rules Modern Authentication Support for MFA/PIM policies on admin sign-in in the tool Changing sign-in method Change sign-in method through the wizard Pilot using Password Sync; switch to Federation later

19 Soft-match on UPN Move from cloud-only identity model to synchronized model used to be a challenge: Either set ImmuatbleID on all cloud objects or if you have Exchange Online, soft-match on proxyAddresses You can now enable soft-match on UPN: Set-MsolDirSyncFeature -Feature EnableSoftMatchOnUpn -Enable $true

20 Allow sync to update UPN
UPNs used to be updateable with PowerShell only Sync can now update UPN. Enable with: Set-MsolDirSyncFeature -Feature SynchronizeUpnForManagedUsers -Enable $true Does not work if you use federation

21 Is this your inbox…?

22 Reducing sync errors UPN and Proxy address conflicts
Need to be unique between two objects in Azure AD Conflicting objects are not sync’d at all Attempted on every sync cycle and error reported every time Forms the majority of the sync errors customers hit Duplicate Attribute Resiliency New behavior is Azure AD: Sync the conflicting object, but quarantine the offending attribute UPN Conflict: offending UPN is ‘made unique’ by adding a 4 digit number to the prefix. Proxy Conflict: offending attribute is quarantined. Default behavior for new tenants. Rolled out to existing tenants. Enabled through following PowerShell cmdlets. Set-MsolDirSyncFeature -Feature DuplicateUPNResiliency -Enable $true Set-MsolDirSyncFeature -Feature DuplicateProxyAddressResiliency -Enable $true Errors reported once at time of conflict. Available in O365 portal. Viewable through PowerShell.

23 Sync error reporting Builds on Azure AD Health
Must be on Connect build 2016 August ( ) Know you have errors Reporting Fixing errors No additional cost (does not require Premium)

24 Demo – Health and Sync errors
Andreas Kjellman

25 LDAP support LDAP support in Azure AD Connect coming soon
Limited features at the start of private preview: Only single vendor LDAP servers No mixed mode (AD + LDAP) in wizard No writeback No directory extension Use ADFS 2016 for single sign on, no password sync

26 Demo – LDAP support Andreas Kjellman

27 Authentication updates
Ross Adams

28 Today’s sign-on curve Value Complexity AAD Connect + AD FS AAD Connect
+ PHS AAD Connect Cloud Accounts Cloud only Accounts Complexity

29 Our Goals Help new customers achieve the following
AuthN against Active Directory on-premises No passwords in the cloud Do not want unauthenticated endpoints on-premises exposed to internet Provide a true Single Sign On solution Help existing customers switch to a lower TCO option

30 Azure AD Pass-through Authentication (PTA)
Enables customers to validate passwords on-premises without complexity Allows for on-premises policies to be evaluated such as account disabled, login hours restrictions etc. Simple deployment via AAD Connect, no complex DMZ requirements Works for single or multi-forest customers Built on Azure AD infrastructure Securely validates the user’s password against on-premises AD Customer can deploy multiple agents for HA Bottom line – Similar benefits to federation without the deployment cost

31 Single Sign-on for corporate users
True single sign on for corporate users No additional servers or infrastructure required on premises Accelerated deployment Utilizes existing Active Directory infrastructure Inherit support for multiple regions Inherit support for finding the closest DC Based on Kerberos clients (Windows 7+) No DR/HA plan outside of existing AD plans Support for both Azure AD Pass-through authentication and Password hash sync customers SSO is provide for all domain joined corporate machines with line of sight to a DC

32 How does this change the curve?

33 Tomorrow’s sign-on curve
AAD Connect + AD FS AAD Connect + PTA and SSO AAD Connect + PHS and SSO Value AAD Connect + PHS AAD Connect Cloud Accounts Cloud only Accounts Complexity

34 Demo - PTA and Single Sign-on
Ross Adams

35 How this changes deployments
Provides similar services to Federation Forms based authentication for non-domain joined/outside of corporate network users (PTA) SSO for domain joined users on corporate network (SSO) No need for dedicated servers PTA can be installed on existing servers or DC’s SSO is only a computer account in AD No load balancers PTA automatically uses all available connectors no need to load balance No DMZ All connections are outbound No unauthenticated end points on the internet Less to manage ongoing Simple DR, place connectors where needed No certificates to manage

36 What AD FS offers that PTA with SSO doesn’t
Support for smartcard authentication Support for 3rd Party MFA providers Passwords are always in your control boundary – i.e. don’t pass through the cloud On-premises conditional access rules based on issuance policies, such as Exchange protocols (e.g. pop, imap etc) Inside network claim

37 How does it work?

38 Pass-through authentication
Hybrid Identity Service Username and password are passed to Hybrid Identity Service STS User Name and password 1 2 8 7 Connector notified of request Result returned back to Azure AD STS Token returned to use or further proofs (MFA) are initiated 3 6 Connector returns result Contoso Corpnet Connector Connector validates the credentials against AD 4 5 DC DC returns result

39 How does it work - Setup Azure AD Contoso Corpnet DC
Kerberos key stored securely in Azure AD 2 GPO to set Intranet zone 3 1 DC Machine Account created in on-prem AD Contoso Corpnet

40 How does it work - Runtime
TechReady 23 2/5/ :42 AM How does it work - Runtime Azure AD STS User enters their username 1 5 User sends ticket to Azure AD STS 6 Azure AD STS returns token to the user 401 response to get a Kerberos ticket 2 4 AD returns Kerberos ticket User requests a Kerberos ticket 3 DC Contoso Corpnet © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

41 Availability Authencation features need run time
Currently in Private Preview with a set of customers

42 Things to take away Azure AD Connect—single tool to onboard to Azure AD/Office 365 Most customers use the simple password sync Eases AD FS deployments Supports multiple advanced scenarios that earlier tools do not Get your customers to upgrade today For all the benefits of Azure AD Connect Older tools are deprecated; new investments only in AAD Connect Customers want SSO and on-premises password validation We’re making this much simpler with Azure AD Pass-thru Authentication and SSO.

43 Identity and Access Management Sessions
2/5/ :42 AM Identity and Access Management Sessions Monday 02:15: BRK2139 Protect your business and empower your users with cloud Identity and Access Management Tuesday 12:30: BRK3107 Connect your on-premises directories to Azure AD and use one identity for all your apps 02:15: BRK3225 Secure access to Office 365, SaaS, and on-premises apps and files with Azure AD and Intune 04:30: BRK3109 Deliver management and security at scale to Office 365 with Azure Active Directory Wednesday 09:00: BRK3111 Manage productivity at scale with Azure Active Directory 11:30: BRK2210 Learn how Unilever modernized IT with Azure Active Directory at the core 02:15: BRK3139 Throw away your DMZ – Azure Active Directory Application Proxy deep-dive 04:00: BRK3181 Secure your web applications with Microsoft identity Thursday 09:00: BRK3252 Use managed domain services on Microsoft Azure 12:30: BRK3182 Secure your native and mobile applications with Microsoft identity and application management 02:15: BRK3110 Respond to advanced threats before they start - identity protection at its best! 04:00: BRK3179 Modernize your app’s consumer identity management with Azure AD B2C 04:30: BRK2067 Manage access to SaaS Applications With Azure Active Directory Friday 09:00: BRK3074 Discover what’s new in Active Directory Federation and Domain Services in Windows Server 2016 10:45: BRK3108 Share corporate resources with your partners using Azure AD B2B collaboration 12:30: BRK3330 Join your Windows 10 devices to Azure AD for anywhere, anytime productivity © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

44 Free IT Pro resources To advance your career in cloud technology
Microsoft Ignite 2016 2/5/ :42 AM Free IT Pro resources To advance your career in cloud technology Plan your career path Microsoft IT Pro Career Center Cloud role mapping Expert advice on skills needed Self-paced curriculum by cloud role $300 Azure credits and extended trials Pluralsight 3 month subscription (10 courses) Phone support incident Weekly short videos and insights from Microsoft’s leaders and engineers Connect with community of peers and Microsoft experts Get started with Azure Microsoft IT Pro Cloud Essentials Demos and how-to videos Microsoft Mechanics Connect with peers and experts Microsoft Tech Community © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

45 Please evaluate this session
2/5/ :42 AM Please evaluate this session Your feedback is important to us! From your PC or Tablet visit MyIgnite at From your phone download and use the Ignite Mobile App by scanning the QR code above or visiting © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

46 Thank you Questions?

47

Download ppt "Microsoft 2016 2/5/2018 11:42 AM BRK3107 Connect your on-premises directories to Azure AD and use one identity for all your apps Girish Chander Andreas."

Similar presentations

Christopher Chapman | MCT Content PM, Microsoft Learning, PDG Planning, Microsoft.

Christopher Chapman | MCT Content PM, Microsoft Learning, PDG Planning, Microsoft.
Recording Brief EMS Partner Bootcamp Variables Values Module Title

Recording Brief EMS Partner Bootcamp Variables Values Module Title
Identity; What you need to know to be in the Microsoft Cloud

Identity; What you need to know to be in the Microsoft Cloud
2/20/2018 7:04 PM BRK1038 Meet Azure Information Protection customers and learn about their success stories Jeffrey Kalfut Strategy & Architecture Manager,

2/20/2018 7:04 PM BRK1038 Meet Azure Information Protection customers and learn about their success stories Jeffrey Kalfut Strategy & Architecture Manager,
Microsoft Ignite 2016 4/30/2018 9:28 PM BRK3174

Microsoft Ignite /30/2018 9:28 PM BRK3174
Deployment Planning Services

Deployment Planning Services
Microsoft Ignite 2016 4/27/2018 9:00 AM THR2016

Microsoft Ignite /27/2018 9:00 AM THR2016
Manage Office 365 more effectively: what’s new in Office 365 admin?

Manage Office 365 more effectively: what’s new in Office 365 admin?
Microsoft Ignite 2016 5/17/ :48 AM BRK3330

Microsoft Ignite /17/ :48 AM BRK3330
Examine information management in Cortana Intelligence

Examine information management in Cortana Intelligence
Identity & Access Management for a cloud-first, mobile-first world

Identity & Access Management for a cloud-first, mobile-first world
Microsoft 2016 6/2/2018 3:42 PM BRK3129 Query Big Data using the Expanded T-SQL footprint with PolyBase in SQL Server 2016 Casey Karst Program Manager.

Microsoft /2/2018 3:42 PM BRK3129 Query Big Data using the Expanded T-SQL footprint with PolyBase in SQL Server 2016 Casey Karst Program Manager.
Microsoft 2016 6/4/2018 8:21 AM BRK3082 Build solutions and apps with Microsoft OneDrive API and Microsoft Graph API Ryan Gregg Principal Program Manger,

Microsoft /4/2018 8:21 AM BRK3082 Build solutions and apps with Microsoft OneDrive API and Microsoft Graph API Ryan Gregg Principal Program Manger,
Conduct a successful pilot deployment of Microsoft Intune

Conduct a successful pilot deployment of Microsoft Intune
6/10/2018 5:07 PM THR2218 Deploying Windows Defender AV and more with Intune and Configuration Manager Amitai Rottem @AmitaiTechie Senior Program Manager,

6/10/2018 5:07 PM THR2218 Deploying Windows Defender AV and more with Intune and Configuration Manager Amitai Senior Program Manager,
SaaS Application Deep Dive

SaaS Application Deep Dive
Microsoft 2016 6/23/2018 1:11 AM BRK3180 Migrate CRM OnPremise organizations to CRM Online cloud using Dynamics Lifecycle Services (LCS) Aditya Varma Ganapathy.

Microsoft /23/2018 1:11 AM BRK3180 Migrate CRM OnPremise organizations to CRM Online cloud using Dynamics Lifecycle Services (LCS) Aditya Varma Ganapathy.
Web development productivity with Visual Studio

Web development productivity with Visual Studio
6/25/2018 11:13 PM BRK1076 Make Windows devices more secure by taking them out of your existing infrastructure Chris Rhodes & Andrew Bettany MCTs & MVPs.

6/25/ :13 PM BRK1076 Make Windows devices more secure by taking them out of your existing infrastructure Chris Rhodes & Andrew Bettany MCTs & MVPs.
Microsoft Virtual Academy

Microsoft Virtual Academy

Similar presentations

Ads by Google