Presentation is loading. Please wait.

Presentation is loading. Please wait.

Windows devices in Azure AD: why should I care?

Published byDouglas Fitzgerald Modified over 6 years ago

Similar presentations

Presentation on theme: "Windows devices in Azure AD: why should I care?"— Presentation transcript:

1 Windows devices in Azure AD: why should I care?
7/23/ :41 PM BRK3352 Windows devices in Azure AD: why should I care? Jairo Cadena Program Manager Identity Division, Microsoft JairoC_AzureAD jairocadena.com © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

2 7/23/ :41 PM Azure Active Directory in the Marketplace Every Office 365 and Microsoft Azure customer uses Azure Active Directory organizations 12.8M users 950M 3rd party apps in Azure AD 272K paid Azure AD / EMS customers 56K of Fortune 500 companies use Azure AD 90% +30% YoY +45% YoY +200% YoY +74% YoY © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

3 Why Windows devices in Azure AD?
7/23/ :41 PM Why Windows devices in Azure AD? Access control and identity protection Conditional access based on device policies Ease of deployment and management Better secure experiences for your users © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

4 The challenge On-premises Managed devices Active Directory 7/23/2018
© 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

5 Azure AD conditional access
TechReady 23 7/23/ :41 PM Azure AD conditional access Users User identity Group memberships Devices Hybrid Azure AD joined? Marked compliant? Platform type Lost/stolen? Application Per-service Managed client app Allow Block MFA Enroll Terms of Use Other Location (network) Time of day Risk profile On-premises applications © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

6 Windows 10 personal and other devices
7/23/ :41 PM a.k.a. Domain joined registered w/ Azure AD Azure AD Azure AD Azure AD Windows 10 work devices AD domain joined Hybrid Azure AD joined Azure AD joined AD Azure Windows 10 personal and other devices Workplace joined Azure AD registered © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

7 Azure AD device-based conditional access
7/23/ :41 PM Azure AD device-based conditional access Demo © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

8 Google Chrome support for SSO & device-based CA
7/23/ :41 PM Google Chrome support for SSO & device-based CA Demo © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

9 Windows 7 hybrid Azure AD join with Seamless SSO
1 User signs in to Windows and task runs S-SSO=true AAD-Svc 2 A hidden IE browser navigates to Azure AD to authN to Azure DRS with SCP value as domain_hint 3 6 Azure DRS 2 5 3 Azure AD returns 401 with www-auth header as Negotiate 3 6 4 Client gets from DC a Kerb ticket to “Azure AD” SPN 7 5 IE browser resends request with ticket in AuthZ header Windows 7 device 6 Azure AD via Seamless SSO authorizes Kerb ticket and returns access token to Azure DRS 1 AD 4 7 Client completes registration against Azure DRS AAD-SPN

10 Why Windows devices in Azure AD?
7/23/ :41 PM Why Windows devices in Azure AD? Access control and identity protection Conditional access based on device policies Auto VPN connectivity protection Ease of deployment and management Better secure experiences for your users © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

11 Auto VPN connectivity and Azure AD conditional access
VPN server 1 PRT obtained & cached upon user sign-in to Windows 4 2 VPN client calls WAM “getToken()” for “VPN server” app 1 3 VPN server 5 3 WAM sends request to Azure AD passing PRT 4 Azure AD authN PRT and authZ against CA policy 5 Azure AD returns “access token” in form of certificate 7 6 WAM installs certificate in user store and returns call to VPN client Cloud AP WAM 2 VPN client 1 6 7 VPN client uses certificate to authN to VPN server and establishes connectivity PRT Cert 1 6

12 Azure AD conditional access and VPN
7/23/ :41 PM Azure AD conditional access and VPN Demo © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

13 Why Windows devices in Azure AD?
7/23/ :41 PM Why Windows devices in Azure AD? Access control and identity protection Conditional access based on device policies Auto VPN connectivity protection Reduced risk for identity protection Ease of deployment and management Better secure experiences for your users © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

14 Identity protection: devices and unfamiliar location
7/23/ :41 PM Identity protection: devices and unfamiliar location © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

15 Why Windows devices in Azure AD?
7/23/ :41 PM Why Windows devices in Azure AD? Access control and identity protection Conditional access based on device policies Auto VPN connectivity protection Reduced risk for identity protection Ease of deployment and management Devices blade in Azure portal Better secure experiences for your users © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

16 Devices blade in the Azure Portal
7/23/ :41 PM Devices blade in the Azure Portal Demo © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

17 Why Windows devices in Azure AD?
7/23/ :41 PM Why Windows devices in Azure AD? Access control and identity protection Conditional access based on device policies Auto VPN connectivity protection Reduced risk for identity protection Ease of deployment and management Devices blade in Azure portal AutoPilot and Windows activation Co-management Better secure experiences for your users © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

18 Assignment of enterprise licenses for Windows activation
7/23/ :41 PM Assignment of enterprise licenses for Windows activation Demo © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

19 Why Windows devices in Azure AD?
7/23/ :41 PM Why Windows devices in Azure AD? Access control and identity protection Conditional access based on device policies Auto VPN connectivity protection Reduced risk for identity protection Ease of deployment and management Devices blade in Azure portal AutoPilot and Windows activation Co-management Better secure experiences for your users SSO to cloud and on-prem apps/resources Consistent settings across devices Bio-gesture sign-in to Windows and org. © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

20 Windows Hello for Business and the route to “password-less”

21 Provisioning of Windows Hello for Business
Azure AD 1 User auths with password + MFA, provides bio-gesture Azure DRS 4 2 Windows generates WHfB key in the Trusted Platform Module (TPM) protected with bio-gesture + attestation blob 3 5 3 Windows sends WHfB key pub + attestation blob + AIK cert 4 Azure AD verifies WHfB key pub with attestation blob, register key with user Windows 10 device 1 5 Azure AD returns key ID 2

22 Sign-in to Windows 10 with Windows Hello for Business
Azure AD 1 User sign-in with bio-gesture unlocks WHfB key 2 Windows sends “hello” 2 3 3 Azure AD sends back nonce 4 5 4 Windows sends signed nonce with WHfB key (key ID) 5 Azure AD returns PRT + ID token + encrypted session key protected in TPM Windows 10 device 6 User enjoys SSO to cloud and on-premises apps 1 6

23 Bio-gesture sign-in, SSO and conditional access
Demo

24 Good reasons for Windows devices in Azure AD
7/23/ :41 PM Good reasons for Windows devices in Azure AD Access control and identity protection Conditional access based on device policies Auto VPN connectivity protection Reduced risk for identity protection Ease of deployment and management Devices blade in Azure portal AutoPilot and Windows activation Co-management Better secure experiences for your users SSO to cloud and on-prem apps/resources Consistent settings across devices Bio-gesture sign-in to Windows and org. © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

25 Roadmap FIDO support “Last logon time stamp” on device objects
7/23/ :41 PM Roadmap FIDO support “Last logon time stamp” on device objects Easier deployment of hybrid Azure AD joined devices Self-service PIN and password reset from lock screen Alternate login ID support AutoPilot “plug and forget” Application-based conditional access Device-based conditional access based on device groups © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

26 Identity @ Ignite | Monday
7/23/ :41 PM Ignite | Monday BRK3020 What's new and upcoming in AD FS to securely sign-in your users to Office 365 and other applications OCCC Valencia W415 CD Monday 4:00–5:15 Sam Devasahayam Ignite | Tuesday BRK2019 Productivity and protection for your employees, partners, and customers with Azure Active Directory OCCC West Hall F2 Tue 9:00–10:15 Alex Simons Nasos Kladakis THR2072 Migrate your apps from legacy APIs to Microsoft Graph OCCC South – Expo Theater #6 Tue 11:35-11:55 Jeff Sakowicz, Dan Kershaw BRK2017 Saying goodbye to passwords OCCC West Hall F3-4 Tue 12:45-1:30 Manini Roy THR2071 Managing enterprise applications, permissions, and consent in Azure Active Directory OCCC West Building Theater - Level 2 Tue 2:10–2:30 Jeff Sakowicz BRK1051 Locking down access to the Azure Cloud using SSO, Roles Based Access Control, and Conditional Access OCCC W308 Tue 2:15–3:30 Stuart Kwan © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

27 Identity @ Ignite | Wednesday
7/23/ :41 PM Ignite | Wednesday BRK3388 Build applications to secure and manage your enterprise using Microsoft Graph OCCC S210 Wed 09:00-09:45 Jeff Sakowicz, Dan Kershaw BRK3225 Office development: Authentication demystified OCCC W315 Wed 10:45–12:00 Vittorio Bertocci BRK3146 The power of common identity across any cloud OCCC W240 Wed 12:45-1:30 Sam Devasahayam THR2126 Azure Active Directory: Your options explained from AD sync to pass through authentication & more OCCC West – Microsoft Ignite Studio Wed 1:35-1:55 Alex Simons Simon May   BRK3352 Windows devices in Azure Active Directory: Why should I care? OCCC Valencia W415 AB Wed 2:15–3:30 Jairo Cadena THR2007 How to get Office 365 to the next level with Azure Active Directory Premium OCCC South – Expo Theater Wed 3:15-4:00 Brjann Brekkan BRK3295 What’s new in Azure Active Directory Domain Services Hyatt Regency Windermere Z Wed 4:00–5:15 Mahesh Unnikrishnan BRK3016 Shut the door to cybercrime with Azure Active Directory risk-based identity protection OCCC Valencia W415 CD Alex Weinert Nitika Gupta © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

28 Identity @ Ignite | Thursday
7/23/ :41 PM Ignite | Thursday BRK2018 Share corporate resources with your partners using Azure Active Directory B2B collaboration OCCC W230 Thu 9:00–10:15 Mary Lynch Sarat Subramaniam Laith Al Shamri BRK3207 The keys to the cloud: Use Microsoft identities to sign in and access API from your mobile+web apps OCCC S310 Thu 10:45-12:00 Vittorio Bertocci BRK3012 Secure access to Office 365, SaaS and on-premises apps with Microsoft Enterprise Mobility + Security OCCC W311 Caleb Baker Chris Green BRK3013 Ensure users have the right access with Azure Active Directory OCCC Valencia W415 AB Thu 12:30–1:45 Joseph Dadzie Mark Wahl BRK3015 Deep-dive: Azure Active Directory Authentication and Single-Sign-On OCCC West Hall E1 Thu 2:15-3:30 John Craddock BRK3014 Azure Active Directory best practices from around the world Thu 4:00–5:15 Tarek Dawoud Mark Morowczynski Ignite | Friday BRK2276 Modernize your customer identity management with Azure Active Directory B2C OCCC W314 Friday 9:00-9:45 Saeed Akhter © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

29 Please evaluate this session
Tech Ready 15 7/23/2018 Please evaluate this session From your Please expand notes window at bottom of slide and read. Then Delete this text box. PC or tablet: visit MyIgnite Phone: download and use the Microsoft Ignite mobile app Your input is important! © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

30 7/23/ :41 PM © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Download ppt "Windows devices in Azure AD: why should I care?"

Similar presentations

Make your app a native part of Office with Add-ins

Make your app a native part of Office with Add-ins
5/18/2018 6:06 AM BRK3020 AD FS: What’s new & upcoming to securely sign-in to O365 & other Azure AD apps ‘Sam’uel Devasahayam Principal Group Program Manager.

5/18/2018 6:06 AM BRK3020 AD FS: What’s new & upcoming to securely sign-in to O365 & other Azure AD apps ‘Sam’uel Devasahayam Principal Group Program Manager.
Microsoft Ignite 2016 5/17/ :48 AM BRK3330

Microsoft Ignite /17/ :48 AM BRK3330
5/17/2018 Productivity and protection for your employees, partners, and customers with Azure Active Directory Alex Simons Partner Director Program Mgmt.

5/17/2018 Productivity and protection for your employees, partners, and customers with Azure Active Directory Alex Simons Partner Director Program Mgmt.
5/19/2018 6:29 PM BRK1051 Locking down access to the Azure Cloud: SSO, Roles Based Access Control, and Conditional Access Stuart Kwan Principal Program.

5/19/2018 6:29 PM BRK1051 Locking down access to the Azure Cloud: SSO, Roles Based Access Control, and Conditional Access Stuart Kwan Principal Program.
5/21/2018 9:40 PM BRK3021 Learn about modern infrastructure roles in RDS: Next generation Windows desktop & app virtualization Clark Nicholson - Principal.

5/21/2018 9:40 PM BRK3021 Learn about modern infrastructure roles in RDS: Next generation Windows desktop & app virtualization Clark Nicholson - Principal.
5/29/2018 1:51 AM THR2071 Managing enterprise applications, permissions, and consent in Azure Active Directory Adam Steenwyk & Jeff Sakowicz Program Managers.

5/29/2018 1:51 AM THR2071 Managing enterprise applications, permissions, and consent in Azure Active Directory Adam Steenwyk & Jeff Sakowicz Program Managers.
5/29/2018 12:04 PM BRK3012 Secure access to Office 365, SaaS and on-premises apps with Microsoft Enterprise Mobility + Security Caleb Baker @caleb_b Principal.

5/29/ :04 PM BRK3012 Secure access to Office 365, SaaS and on-premises apps with Microsoft Enterprise Mobility + Security Caleb Principal.
6/10/2018 5:07 PM THR2218 Deploying Windows Defender AV and more with Intune and Configuration Manager Amitai Rottem @AmitaiTechie Senior Program Manager,

6/10/2018 5:07 PM THR2218 Deploying Windows Defender AV and more with Intune and Configuration Manager Amitai Senior Program Manager,
Azure Active Directory best practices from around the world

Azure Active Directory best practices from around the world
A quick guide to modern authentication protocols

A quick guide to modern authentication protocols
Developing Hybrid Apps on Microsoft Azure Stack

Developing Hybrid Apps on Microsoft Azure Stack
Windows 10 and the cloud: Why the future needs hybrid solutions

Windows 10 and the cloud: Why the future needs hybrid solutions
6/19/2018 2:57 AM THR3092 Monitor and investigate actions on your user and data with alerts, insights and reports Binyan Chen Program Manager II, Office.

6/19/2018 2:57 AM THR3092 Monitor and investigate actions on your user and data with alerts, insights and reports Binyan Chen Program Manager II, Office.
Modernizing your Remote Access

Modernizing your Remote Access
6/25/2018 11:13 PM BRK1076 Make Windows devices more secure by taking them out of your existing infrastructure Chris Rhodes & Andrew Bettany MCTs & MVPs.

6/25/ :13 PM BRK1076 Make Windows devices more secure by taking them out of your existing infrastructure Chris Rhodes & Andrew Bettany MCTs & MVPs.
What’s new in Azure Active Directory Domain Services

What’s new in Azure Active Directory Domain Services
Microsoft Virtual Academy

Microsoft Virtual Academy
The power of common identity across any cloud

The power of common identity across any cloud
Understand Hybrid Identity with Azure and Azure Stack

Understand Hybrid Identity with Azure and Azure Stack

Similar presentations

Ads by Google