1. Microsoft Ignite NZ
25-28 October 2016
SKYCITY, Auckland

2. Identity; What you need to know to be in the Microsoft Cloud
Mark Rhodes
Premier Field Engineer
Microsoft

3. Agenda Cloud Identity Model Synchronized Identity Model
Microsoft Office
11/28/2018
Agenda
Cloud Identity Model
Synchronized Identity Model
Federated Identity Model d
© 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

4. What is Azure Active Directory?
Microsoft Ignite 2016
11/28/2018 4:03 PM
What is Azure Active Directory?
A comprehensive identity and access management cloud solution.
It combines directory services, advanced identity governance, application access management and a rich standards-based platform for developers
It is available in 3 editions: free, Basic and Premium
© 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

5. Microsoft Cloud Identity Models
11/28/2018
Microsoft Cloud Identity Models
Cloud identity
Zero on-premises servers
Synchronized ID
Directory sync with password sync
On-premises identity
Federated ID
On-premises identity
Directory sync
Federation
© 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

6. Cloud Identity Model Microsoft Office 11/28/2018 d
© 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

7. Cloud identity model On-premises directory User User accounts
Microsoft Ignite 2015
11/28/2018 4:03 PM
Cloud identity model
User
User accounts
On-premises
directory
© 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

8. Synchronized Identity Model
Microsoft Office
11/28/2018
Synchronized Identity Model
© 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

9. Synchronized Identity Model
Microsoft Ignite 2015
11/28/2018 4:03 PM
Synchronized Identity Model
Password hashes
User accounts
Synchronized identity
Azure AD Sync
On-premises
directory
Sign-on
User
© 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

10. Password Security Extra Security Azure AD On-premises directory Hash
User
Password
On-premises
directory p

11. Choosing between sync tools
DirSync
Azure AD Sync
Azure AD Connect p

12. Azure AD Connect: Your Identity Bridge
Microsoft Ignite 2015
11/28/2018 4:03 PM
Azure AD Connect: Your Identity Bridge
Other identity stores
Azure AD Connect
(sync + sign on)
SaaS Apps
Your Custom Apps
LDAP directories
Box
Citrix
Concur
GoToMeeting
Docusign
DropBox
Google apps
Jive
Salesforce
Servicenow
Workday …
Common
Sign on
Active Directory p
User
Device
© 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

13. Making Hybrid Identity Simple
Microsoft Ignite 2015
11/28/2018 4:03 PM
Making Hybrid Identity Simple p
© 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

14. Federated Identity Model
Microsoft Office
11/28/2018
Federated Identity Model d
© 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

15. Federated identity model
Microsoft Ignite 2015
11/28/2018 4:03 PM
Federated identity model
Password hashes
User accounts
Federated identity
Azure AD Sync
AD FS
Sign-on
Authentication
On-premises
directory
User
Authentication d
© 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

16. Azure AD Connect – Making Identity Easy
11/28/2018
Azure AD Connect – Making Identity Easy
© 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

17. Demo: Azure AD Connect
Mark Rhodes d

18. Federated Sign-In Scenarios
Workstation
On Corp Domain
Off Corp Domain
Inside Corp Network
Single Sign On
Windows Authentication
Public Internet
HTML Login Page

19. Password Sync Backup for Federated Sign-In
Microsoft Ignite 2015
11/28/2018 4:03 PM
Password Sync Backup for Federated Sign-In
Federated identity
Backup Password Hash Sync
User accounts
AD FS
Azure AD Sync
On-premises
directory
© 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

20. How to choose an identity model
Microsoft Ignite 2015
11/28/2018 4:03 PM
How to choose an identity model
Cloud identity
Synchronized identity
Federated identity
Zero on-premises servers
Directory sync with password sync
Federation
Directory sync
On-premises identity
On-premises identity d
© 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

21. When to choose “Cloud” No On-Premises Directory
Microsoft Ignite 2015
11/28/2018 4:03 PM
When to choose “Cloud”
No On-Premises Directory
On-Premises Directory Restructure
Office 365 / Azure Pilot
Cloud identity d
© 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

22. When to choose “Synchronised”
Existing User Accounts
Save credentials in Credential Manager
Outlook does not support SSO
Recommended approach
Syncronised identity d

23. When to choose “Federated”
Microsoft Ignite 2015
11/28/2018 4:03 PM
When to choose “Federated”
ADFS Already Deployed
Third Party IdP
FIM / MIM Already Deployed
On-Premises MFA / Smart Card Requirement
Audit Sign-in / Immediately Disable Users
Client Sign in Restrictions
Policy preventing Password Sync
Hybrid Search
Single Sign-On Required
Federated identity d
© 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

24. Change between models as needs change
Microsoft Ignite 2015
11/28/2018 4:03 PM
Change between models as needs change
Cloud Identity to Synchronized Identity
Deploy AAD Connect
Hard match or soft match of users
Synchronized Identity to Federated Identity
Can leave password sync enabled as backup
Federated identity to Synchronized Identity
PowerShell Convert-MsolDomainToStandard
Takes 2 hours plus 1 additional hour per 2,000 users
Set-MsolDomainAuthentication -Authentication Managed
Synchronized Identity to Cloud Identity
PowerShell Set-MsolDirSyncEnabled
Takes 72 hours and you can monitor with Get-MsolCompanyInformation d
© 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

25. Recommendation Choose the simplest model that meets your requirements
Microsoft Ignite 2015
11/28/2018 4:03 PM
Recommendation
Choose the simplest model that meets your
requirements d
© 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

26. Questions?

27. Summary Cloud Identity Scenarios Ease of AAD Connect Installation
Choose simplest model for your requirements