1. Identity and access management
4/28/2018
Identity and access management
Name Title
© 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

2. Is it possible to keep up?
Is it possible to stay secure?
Lost device
Users
Data leaks
Data
Business partners
Apps
Compromised identity
Customers
Devices
Employees
Stolen credentials

3. Is it possible to keep up?
Microsoft’s vision
Users
Access everything from everywhere
Data
Manage and secure productivity
Apps
Employees
Business partners
Customers
Devices
Integrate with what you have

4. The current reality On-premises Managed devices Active Directory
4/28/2018
The current reality
EC2
On-premises
Managed devices
Active Directory
© 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

5. Challenge: identities live in too many places
Microsoft Azure
Active Directory
VS.
HR system
Windows Server Active Directory
Hybrid
identity
User identities from multiple repositories
LDAP v3
LDAP
Finance
Windows Server Active Directory
Windows PowerShell
Oracle DB
Web apps
Web services
(SOAP, Java, REST)
Generic SQL via ODBC

6. Microsoft’s IAM solution
Spans cloud and on-premises
Provides full spectrum of services
Federation
Identity management
Device registration
User provisioning
Application access control
Data protection
Modern identity management system
Third-party apps & clouds
Microsoft Cloud
Apps in Azure
Microsoft Azure
Active Directory
AAD App
Proxy
Microsoft Identity Manager
Apps on-premises
The combination of Windows Server Active Directory, Microsoft Identity Manager, and Microsoft Azure Active Directory enables better security for today’s hybrid enterprise.

7. Identity as the core of enterprise mobility
Build 2012
4/28/2018
Identity as the core of enterprise mobility
Simple connection
SaaS
Azure
Public
cloud
Cloud
On-premises
Other directories
Windows Server
Active Directory
Self-service
Single sign-on
Microsoft has a solution for this
[Click] Traditional identity and access management solutions providing sing-sign on to on-premises applications and directory services such as Active Directory and others are used from the vast majority of organizations and huge investments were made to deploy and maintain them. These solutions are perfect for the on-premises world.
[Click] Now, as we have discussed, there are new pressing requirements to provide the same experience to cloud applications hosted in any public cloud.
[Click] Azure Active Directory can be the solution to this new challenge by extending the reach of on-premises identities to the cloud in a secure and efficient way.
[Click] In order to do that, one simple connection is needed from on-premises directories to Azure AD.
[Click] and everything else will be handled by Azure AD. Secure single sign-on to thousands of SaaS applications hosted in any cloud by using the same credentials that exist on-premises
[Click] And we don’t forget the users. Azure AD provides Self-service capabilities and easy access to all the application, consumer or business, they need.
in the cloud but on-premises too (Application Proxy)
Microsoft Azure Active Directory

8. Azure Active Directory
Microsoft Confidential NDA Only
4/28/2018
Azure Active Directory
86%
of Fortune 500 companies use Microsoft Cloud (Azure, O365, CRM Online, and PowerBI)
Azure AD Directories
>7 M
More than
550 M user accounts on Azure AD
Microsoft’s “Identity Management as a Service (IDaaS)” for organizations.
Millions of independent identity systems controlled by enterprise and government “tenants.”
Information is owned and used by the controlling organization—not by Microsoft.
Born-as-a-cloud directory for Office 365. Extended to manage across many clouds.
Evolved to manage an organization’s relationships with its customers/citizens and partners (B2C and B2B).
1 trillion
Azure AD authentications since the release of the service
>35k third-party applications used with Azure AD each month
>1.3 billion authentications every day on Azure AD
Every Office 365 and Microsoft Azure customer uses Azure Active Directory
© 2015 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

9. Azure Active Directory scenarios
Windows Server Management Marketing
4/28/2018
Azure Active Directory scenarios
1000s of apps, 1 identity
Making the lives of users (and IT) easier
Managing identities
Collaborating with partners
Enabling anytime/anywhere productivity
Identity-driven security
Connecting with consumers
Your domain controller as a service
© 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

10. Making a hybrid identity simple
4/28/2018
YOUR DIRECTORY ON THE CLOUD
Making a hybrid identity simple
Azure Active Directory Connect
Azure Active Directory Connect
DirSync
Consolidated deployment assistant for your identity bridge components.
All currently available sync engines will be replaced by the sync engine included in the Connect tool.
Assisted deployment of ADFS will be available through Azure Active Directory Connect.
ADFS is an optional component for authentication in hybrid implementation. Password sync can replace ADFS for more scenarios.
Azure Active Directory Sync
Sync engine
FIM+Azure Active Directory Connector
ADFS
ADFS
© 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

11. Delivering a seamless user-authentication experience
4/28/2018
EMPOWER USERS
Delivering a seamless user-authentication experience
Microsoft Azure
Active Directory
User attributes are synchronized using identity synchronization services, including a password hash; authentication is completed against Azure Active Directory
Identity synchronization with password (hash) sync
Microsoft Azure
User attributes are synchronized using identity synchronization tools; authentication is passed back through federation and completed against Windows Server Active Directory
Identity synchronization
ADFS
© 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

12. Windows Server Management Marketing
4/28/2018
1000s of apps, 1 identity
HR apps
Connect and sync on-premises directories with Azure
MIM *
Azure Active Directory Connect and Connect Health *
Microsoft Azure
Active Directory
PowerShell
SQL (ODBC)
LDAP v3
Web Services ( SOAP, JAVA, REST)
OTHER DIRECTORIES
© 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

13. Windows Server Management Marketing
4/28/2018
1000s of apps, 1 identity
Microsoft Azure
OTHER DIRECTORIES
2500+ pre-integrated popular SaaS apps and self-service integration via templates
Connect and sync on-premises directories with Azure
Easily publish on-premises web apps via Application Proxy + custom apps
Web apps
(Azure Active Directory Application Proxy)
Integrated
custom apps
SaaS apps
© 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

14. Making the lives of users (and IT) easier
Windows Server Management Marketing
4/28/2018
Making the lives of users (and IT) easier
Company-branded, personalized application Access Panel:
+ Mobile Apps
Manage your account, apps, and groups
Self-service password reset
Application access requests
© 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

15. Making the lives of users (and IT) easier
MyApps integration with Office 365

16. Windows Server Management Marketing
4/28/2018
Managing identities
Comprehensive identity and access management console
Centralized access administration for pre-integrated SaaS apps and other cloud-based apps
SaaS apps
Dynamic groups, device registration, secure business processes with advanced access management capabilities
IT professional
© 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

17. Collaborating with partners: B2B collaboration
4/28/ :26 PM
MANAGE EVERYTHING
Collaborating with partners: B2B collaboration
Share without complex configuration or duplicate users
Partners use their own credentials to access your org
Users lose access when leaving the partner org
No external directories
No per partner federation
You manage access
You control partner access in your directory:
app assignment
group membership
custom attributes
Partners of all sizes
Bulk invite 1000s at a time
Partners with Azure Active Directory sign in to accept invite
Other partners simply sign up to accept invite
“We needed to quickly and cost effectively stand up new IT infrastructure, including extranet applications for thousands of business partners. Azure Active Directory B2B collaboration provides a simple and secure way for partners, large and small, to use their own credentials to access Kodak Alaris systems.”
3000+ partners
© 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

18. Connecting with consumers: Azure Active Directory B2C
Consumer identity and access management in the cloud
Cross-platform
Identity management for consumers
Superior economics
Identity experience engine
Web site :
Vision video : aka.ms/aadb2cvideo
Pricing page:  
Trial page:
Documentation
Other videos :
There is a dedicated deck to B2C on infopedia
“By using Azure Active Directory B2C we were able to build a fully customized login page without having to build custom code. Additionally, with a Microsoft solution in place, we alleviated all our concerns about security, data breaches, and scalability."
- Rafael de los Santos, Head of Digital, Real Madrid

19. Azure Active Directory Application Proxy
4/28/ :26 PM
YOUR DIRECTORY ON THE CLOUD
Azure Active Directory Application Proxy
Microsoft Azure
Active Directory
A connector that auto-connects to the cloud service
Application Proxy
Multiple connectors can be deployed for redundancy, scale, multiple sites, and different resources
Connectors are deployed usually on corpnet next to resources
DMZ
Users connect to the cloud service that routes their traffic to resources via the connectors
Corporate network
Connector
Connector
Resource
Resource
Resource
© 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

20. Achieve simple and secure partner access
4/28/ :26 PM
MANAGE EVERYTHING
Achieve simple and secure partner access
Partners use their own credentials to access your org
Users lose access when they leave the partner org
No external directories
No per-partner federation
Partners manage their own credentials
You control partner access in your directory:
app assignment
group membership
custom attributes
Organizations manage access
Thousands of bulk invites at a time
Partners with Azure Active Directory sign in to accept invite
Other partners simply sign up to accept invite
Partners of all sizes
VALUE PROPOSITION
Simple and secure partner access
Partner managed identities
Customer managed access
All partners large and small
And by apps I mean:
SaaS apps (Office 365, Salesforce, Box)
On-premises apps (claims aware only for preview)
Mobile or cloud apps
1. Bulk invite 1000’s of users at a time
2. Bulk add invited users to groups and applications
3. Partner managed credentials to access your resources
4. verified sign up for Azure AD accounts
© 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

21. Reveal shadow IT Microsoft Azure Active Directory
MONITOR AND PROTECT
Reveal shadow IT
Source: Help Net Security 2014
as many Cloud apps are in use than IT estimates
Discover all SaaS apps in use within your organization
Microsoft Azure Active Directory
Cloud app discovery
Comprehensive reporting
SaaS app category
Number of users
Utilization volume

22. Privileged identity management
MONITOR AND PROTECT
Privileged identity management
Discover, restrict, and monitor privileged identities and their access to resources
Enforce on-demand, just-in-time administrative access when needed
Security Wizard
Alerts
Security reviews

23. Rich standards-based platform for developers
4/28/ :26 PM
EMPOWER USERS
Rich standards-based platform for developers
Custom LOB applications can integrate with Azure Active Directory
Sign in to Active Directory-integrated applications with cloud identities
Active Directory-integrated applications can access Office 365 and other web APIs
Applications can extend Azure Active Directory schema
Cross-platform support (iOS, Android, and Windows)
Open standards
(SAML, OAuth 2.0, OpenID Connect, Odata 3.0)
SCIM
OAuth2 and
OpenID Connect
SAML
WS-Federation
REST-based graph API
Microsoft Azure
Active Directory
© 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

24. Monitor and protect access to enterprise apps
Windows Server Management Marketing
4/28/2018
MONITOR AND PROTECT
Monitor and protect access to enterprise apps
XXXXX
XXXXX
Built-in security features
Security reporting that tracks inconsistent access patterns, analytics, and alerts
Reporting API
XXXXX
Step up to Multi-Factor Authentication
© 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

25. Azure Active Directory Identity Protection
MONITOR AND PROTECT
Azure Active Directory Identity Protection
Public Preview
Protect your organization from compromised accounts, identity attacks, and configuration issues. Identity Protection provides a consolidated view into identity threats and vulnerabilities. Be notified of and understand risk, perform recommended remediation, and automate future responses with Risk-based Conditional Access policies.
Using Azure AD Identity Protection, you are able to: 
·         Get a consolidated view to examine suspicious user activities that have been detected real-time with the use of machine learning algorithms on signals like brute force attacks, leaked credentials, and sign ins from unfamiliar locations.
·         Use remediation recommendations on a list of configuration vulnerabilities that could lead to an elevated risk of user compromise.
·         Set risk-based policies to automatically protect the identities of your organization. 
Notification, analysis, remediation, and policy configuration
Notification, analysis, remediation, and policy configuration Based on existing and new signals, Azure AD machine learning and user behavioral analysis
· User at risk of compromise;
• Sufficient indicators credentials are in control for someone
(leaked, multi geo, spam etc)
The signal quality is better, less fault positive
· Risky login events;
Real time analysis for logins,
Anomaly in the location, the network, TOR
Bringing experience from MSA
· Unused admin accounts/excessive admin privilege
• Many global admins
· Add vulnerability vectors

26. What is Azure Multi-Factor Authentication?
MONITOR AND PROTECT
What is Azure Multi-Factor Authentication?
A standalone Azure identity and access management service, also included in Azure Active Directory Premium
Prevents unauthorized access to both on-premises and cloud applications by providing an additional level of authentication
Trusted by thousands of enterprises to authenticate employee, customer, and partner access

27. How it works Mobile apps Phone calls Text messages MONITOR AND PROTECT
Benefit slide – conceptual illustration or icons? Icons will lead in nicely to the following slide which is the technical diagram for ATA
Recommending that we use short benefit taglines here, supported by features/capabilities
Include chapter breadcrumb

28. Windows Server Active Directory or other LDAP
4/28/2018
MONITOR AND PROTECT
Users sign in from any device using their existing username/password.
User
Users must also authenticate using their phone or mobile device before access is granted 1 2
On-premises apps
RADIUS
LDAP IIS
RDS/VDI
.NET, Java, PHP…
Microsoft Azure
Active Directory
SAML
Cloud apps
Multi-factor
authentication server
Multi-factor
authentication server
Windows Server Active Directory or other LDAP
© 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

29. Azure MFA vs. MFA for Office 365
Build 2012
4/28/2018
MONITOR AND PROTECT
Azure MFA vs. MFA for Office 365
MFA for Office 365/Azure Administrators
Azure Multi-Factor Authentication
Administrators can enable/enforce MFA to end users
Yes
Use mobile app (online and OTP) as second authentication factor
Use phone call as second authentication factor
Use SMS as second authentication factor
Application passwords for non-browser clients (e.g., Outlook, Lync)
Default Microsoft greetings during authentication phone calls
Suspend MFA from known devices
Custom greetings during authentication phone calls
Fraud alert
MFA SDK
Security reports
MFA for on-premises applications/ MFA server
One-time bypass
Block/Unblock users
Customizable caller ID for authentication phone calls
Event confirmation
Trusted IPs
© 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

30. Application access policies
4/28/ :26 PM
MONITOR AND PROTECT
Application access policies
Actions
Allow access
Conditions
Cloud apps
Location (IP range)
Device state
User
User group
Enforce MFA per user/per app
On-premises
Block access
© 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

31. Windows 10 Azure AD joined devices
Enabling anytime, anywhere productivity: Azure Active Directory Join for Windows 10
Apps in Azure
Third-party apps & clouds
Azure Active Directory Join makes it possible to connect work-owned Windows 10 devices to your company’s Azure Active Directory
Azure Active Directory
Enterprise-compliant services
SSO from the desktop to cloud and on-premises applications with no VPN
Intune/MDM
auto-enrollment
MS is the only completely believes that the largest enterprises will be in this hybrid states
MDM auto-enrollment
Support for hybrid environments
Windows 10 Azure AD joined devices
On-premises apps

32. Identity-driven security: conditional access
USER ATTRIBUTES
User identity
Group memberships
Authentication strength
DEVICES
Are domain joined
Are compliant
Platform type (Windows, iOS, Android)
Allow
Enforce MFA
Block
APPLICATION
Per app policy
Type of client (Web Rich, mobile)
OTHER
Location (IP Range)
Risk Profile
On-premises applications

33. Identity-driven security
4/28/ :26 PM
MONITOR AND PROTECT
Identity-driven security
Actions
User
Allow access
Conditions
Cloud apps
Location (IP range)
Device state
User group
MFA
Enforce MFA per user/per app
Risk
On-premises
Block access
NOTIFICATIONS, ANALYSIS, REMEDIATION, RISK-BASED POLICIES
CLOUD APP DISCOVERY
PRIVILEGED IDENTITY MANAGEMENT
IDENTITY PROTECTION
© 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

34. Identity-driven security
4/28/ :26 PM
MONITOR AND PROTECT
Identity-driven security
IDENTITY PROTECTION
NOTIFICATIONS, ANALYSIS, REMEDIATION , RISK-BASED POLICIES
CLOUD APP DISCOVERY
PRIVILEGED IDENTITY MANAGEMENT
© 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

35. Azure Active Directory Domain Services
4/28/2018
MANAGE EVERYTHING
Azure Active Directory Domain Services
Your domain controller as a service
Azure
Lift-and-shift on-premises apps to Azure IaaS
Your virtual network
Azure AD
Domain Services
Azure AD Connect
Kerberos
NTLM
LDAP
Group Policy
Windows Server Active Directory
Your Azure IaaS workloads/apps
Azure
Active Directory
On-premises
© 2015 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

36. Identity as the core of enterprise mobility
Build 2012
4/28/2018
Identity as the core of enterprise mobility
Simple connection
Windows Server
Active Directory
Self-service
Single sign-on
Other directories
Microsoft has a solution for this
[Click] Traditional identity and access management solutions providing sing-sign on to on-premises applications and directory services such as Active Directory and others are used from the vast majority of organizations and huge investments were made to deploy and maintain them. These solutions are perfect for the on-premises world.
[Click] Now, as we have discussed, there are new pressing requirements to provide the same experience to cloud applications hosted in any public cloud.
[Click] Azure Active Directory can be the solution to this new challenge by extending the reach of on-premises identities to the cloud in a secure and efficient way.
[Click] In order to do that, one simple connection is needed from on-premises directories to Azure AD.
[Click] and everything else will be handled by Azure AD. Secure single sign-on to thousands of SaaS applications hosted in any cloud by using the same credentials that exist on-premises
[Click] And we don’t forget the users. Azure AD provides Self-service capabilities and easy access to all the application, consumer or business, they need.
in the cloud but on-premises too (Application Proxy)
Microsoft Azure Active Directory
SaaS
Azure
Public
cloud
On-premises
Cloud

37. Azure Active Directory editions GA feature comparison + Office 365 IAM features
Build 2012
4/28/2018
Azure Active Directory Free
Azure Active Directory Basic
Azure Active Directory Premium
Office 365 apps only
Common features
Directory as a service
500,000 object limit
No object limit
No object limit for Office 365 user accounts
User/group management (add/update/delete)/user-based provisioning, device registration
Yes
Singe Sign On
10 apps per user (pre-integrated SaaS and developer-integrated apps)
10 apps per user(free tier + Application proxy apps)
No limit (free, Basic tiers +Self-Service App Integration templates 1)
User-based access management/provisioning
Self-service password change for cloud users
Connect (sync engine that extends on-premises directories to Azure Active Directory)
Security reports/audit
3 basic reports
Advanced security reports
Premium+ basic features
Group-based access management/provisioning
Self-service password reset for cloud users
Company branding (logon pages/access panel customization)
Application Proxy
SLA
Premium features
Self-Service Group and app Management/Self-Service application additions/ Dynamic Groups
Self-service password reset/change/account unlock with on-premises write-back
Advanced usage reporting
Multi-factor authentication (cloud and on-premises (MFA server))
Limited cloud only for Office 365 apps
MIM CAL + MIM server
Cloud app discovery
Automated password rollover
Connect Health
1: Self Service integration of any application supporting SAML, SCIM, or forms-based authentication by using templates provided in the application gallery menu. For more details, please read this article
Azure Active Directory Join – Windows 10 only related features
Join a device to Azure AD, Desktop SSO, Microsoft Passport for Azure AD,
Administrator Bitlocker recovery
Yes
MDM auto-enrolment, Self-Service Bitlocker recovery, Additional local administrators to Windows 10 devices via Azure AD Join
© 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

38. 4/28/ :26 PM
© 2016 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
© 2010 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

39. Microsoft Identity Manager
Use these slides to support the on premise Identity message if it is determined the customer is interested or has a use case that requires MIM.

40. Introducing Microsoft Identity Manager 2016
MANAGE EVERYTHING
Introducing Microsoft Identity Manager 2016
Cloud-ready
identities
Powerful user
self-service
Enhanced
security
Automatic preparation of Active Directory identities for synchronization with Azure Active Directory
Password reset with Azure Multi- Factor Authentication
Dynamic groups with approvals and redesigned certificate management
Hybrid reporting and privileged access management to protect administrator accounts
Support for new security protocols

41. Microsoft Identity Manager 2016 features
MANAGE EVERYTHING
Microsoft Identity Manager 2016 features
Cloud-ready
identities
Powerful user
self-service
Enhanced
security
Standardized Active Directory attributes and values
Partitioned identities for synchronization to the cloud
Easier-to-deploy reporting connected to Azure Active Directory
Preparation of user profiles for Microsoft Office 365
Self-service password reset with Multi- Factor Authentication
New REST-based APIs for AuthN/AuthZ
Self-service account unlock
Certificate management support for multi- forest and modern apps
Privileged user and account discovery
New Windows PowerShell support and REST-based API
Workflow management: elevated just-in- time administrator access
Reporting and auditing specific to privileged access management

42. Microsoft Identity Manager 2016
MANAGE EVERYTHING
IAM evolution
Microsoft Identity Manager 2016
ON-PREMISES
HYBRID
CLOUD
Event - Mobility
Event-Win 8.x/10
Managed: Microsoft System Center Configuration Manager
On-premises LOB applications, traditional productivity
iOS, Android, Windows Phone, BYOD
Mobile apps, shadow IT SaaS solutions
Managed: Microsoft Intune connected to System Center Configuration Manager
On-premises LOB applications, managed SaaS, Office 365 hybrid deployment, Azure Active Directory implementation
Deployment of cloud-enabled rich clients
Managed cloud identities with Multi-Factor Authentication
Managed by EMS: Combination of mobile clients (iOS, Android) and cloud-enabled clients (Windows 10)
Managed SaaS and Office 365 Enterprise, full Azure IAM

43. Architecture: hybrid identity with MIM
MANAGE EVERYTHING
Architecture: hybrid identity with MIM
Microsoft Azure
Active Directory
IAM
Azure AD Connect
Microsoft Azure
MIM
Azure AD App Proxy
Microsoft Identity Manager 2016
On-premises applications

44. Scenario: self-service password reset
Cloud
User’s identity
User IT
Username
••••••••••••• ?
Forgot your password?
Self-service experiences
On-premises applications

45. Microsoft Identity Manager 2016
Scenario: collapse multi-forest Active Directory into one Active Directory
Microsoft Identity Manager 2016
Collapse directories
Map multiple identities
Transform usernames and other attributes

46. Scenario: implement privileged access management
User
Privileged access management
Access requests
Access requests
Microsoft Identity Manager
Configured for PAM
Existing apps
Existing trust
Group: Resource Admins
Domain: CORP
Candidate: Jen
Existing AD forests
WS 2003 or later
AD DS
Existing FIM
Trust for admin access
Time-based memberships
User “JenAdmin”
User: PRIV\JenAdmin
Groups: CORP\Resource Admins
Refresh after: 60 minutes
Group “Resource Admins”

47. Deep dive: DirSync, Azure AD, and MIM Sync
4/28/2018
Deep dive: DirSync, Azure AD, and MIM Sync
Earlier
Today
Future
DirSync
Azure Active Directory Sync
FIM Sync
(+ Azure Active Directory Connector)
Azure Active Directory Connect
MIM Sync
(+ Azure Active Directory Connector)
Azure Active Directory Connect
© 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

48. Deep dive: migrate to Azure Active Directory
Microsoft Azure
Active Directory
Azure Active Directory Connect
Connect and sync on- premises directories with Azure
Other directories
PowerShell
LDAP v3
SQL (ODBC)
Web services (SOAP, Java, REST)

49. Deep dive: IAM in MIM vs. Azure Active Directory
Microsoft Identity Manager
Password reset/management
YES
Group management
YES, not dynamic
Provisioning, deprovisioning NO
Certificate management
Role-based access control