Azure Active Directory

for the Hybrid Enterprise
Keith Brintzenhofe
Group Program Manager
Azure AD Identity & Access Management
MICROSOFT CONFIDENTIAL

Agenda
Azure AD and the Hybrid Enterprise
Azure AD Identity & Access Management Scenarios
Azure AD Premium
Q&A

Windows Azure

cloud based identity management service providing federation. device registration. A natural extension to on premises directories. directory services. user provisioning. application access control & data protection. the combination of Windows Server AD and Windows Azure AD lets you secure today’s hybrid enterprise.Azure Active Directory: The Vision A modern. • On-premises and cloud Active Directory managed as one • Consistent identities for on-premises and cloud applications • Easy end user experience with single sign on and self-service features .

Azure Active Directory and the Hybrid Enterprise Self-Service On-premises and private cloud Azure Active Directory Identity Management HR Other apps Sync Custom apps Windows Server Other Directories Active Directory SaaS apps 10.000 + apps Active Directory Federation Services Devices Other Directories .

Azure AD Identity and Access Management Scenarios Simplify access and control of SaaS applications Reduce IT burden with self-service IAM Improve security posture with cloud services Easily meet reporting requirements Rapidly develop and deploy new enterprise capabilities Windows Azure .

LDAP.Azure AD directory management • Manage users in your cloud directory • Management portal • PowerShell • Programmatic – Graph API • Assign familiar user names in domains your organization already uses • Self-service verification of your domains • Integrate with existing directories • Sync users into your cloud directory from a Windows Server AD. or other existing directory • Users can access their cloud resources with their Windows Server AD username and password .

web requests or volume of data exchanged with the application • Drill down into specific applications for targeted information • Easily integrate an application with Azure Active Directory .Discover all SaaS apps in use within your organization Cloud App Discovery • Fortune 500 company with 60.000+ international employees • Worried about corporate data leakage • Departments are adopting multiple subscriptions to SaaS apps without IT involvement • Need inventory of applications to begin gaining control and to enable SSO • Features used • Endpoint agent for application discovery with ability to distribute using SCCM • Interactive dashboard: • View total number of SaaS apps in use • View number of users using SaaS apps • View top SaaS apps with categories in use • See usage graphs for SaaS apps that can be pivoted on users.

Simplify access and control of SaaS applications SaaS App Management • Professional services company. Workday. 4500 employees • Interested in Office 365. Yammer and other SaaS applications • Needs centralized management of employee access to SaaS applications • Features used • Windows Azure AD single sign on (SSO) for SaaS applications • Automated user provisioning and de-provisioning to SaaS applications • Access Panel at myapps.com • Company-branded sign-in and app access experience 7:37 AM . Salesforce.microsoft.

000+ international employees • Needed automated user provisioning and deprovisioning to SaaS apps including ServiceNow • ServiceNow also requires group objects • Features used • Synchronize across on-premises data sources and into Windows Azure AD • Windows Azure AD provides user and group provisioning to ServiceNow and other SaaS apps .Simplify access and control of SaaS applications SaaS App User Provisioning • Fortune 500 company with 100.

000+ international employees • Multiple data sources on-premises • Need to provision users and groups to Windows Azure AD for control of SaaS • Features used • Synchronize on-premises data sources to Windows Azure AD • Group-based application assignment in WAAD • Incorporate users from HR sources such as SAP.Simplify access and control of SaaS applications Windows Azure AD Connector • Fortune 500 company with 100. PeopleSoft and Oracle .

Understand the ROI on SaaS applications Usage and Business reporting • Large multi-national enterprise • Seeking to evaluate application usage and access patterns • Features used • Application dashboard • Cross company application usage • Detailed usage for specific apps .

Self-service identity and access management Self-Service Password Reset for Users • University with 20k current students • Existing on-premises password reset solution in place does not cover alumni and is difficult to manage • Features used • Reset of on-premises passwords from the cloud (pwd. writeback to WSAD) • Phone and email verification methods • End-user registration of contact methods • Customization of helpdesk URL and branding of Password Reset Portal with university’s logo .

Self-service identity and access management Custom Branding • Financial services firm with 200+ offices • Needs consistent look-and-feel across authentication experiences • Already using Office365 and Active Directory • Features used • Sign-in page branded with company logo and illustration • Customized help text on sign-in page • Access Panel for end-users customized with company logo .

assign users • Owner can delegate ownership • Self-service group management • Users can search for groups and request to join • Owner approves requests • Groups can be set to auto-approve .Self-service identity and access management Self-Service Group Management • Large multi-national enterprise • Enable distributed group creation and management • Delegated group management • End users can create groups.

one time bypass capabilities • End-user self-service enrollment • Audit reports for MFA activity • Whitelisting IP Addresses to bypass MFA from Corpnet • ‘Remember this device’ feature to require MFA only from un-trusted devices . or alternate phone) • Features used • Targeted MFA for sensitive accounts • Customization of MFA greetings.Improve security posture with cloud services Multi-Factor Authentication • Local government agency • Protect access to sensitive applications • Avoid end user lock out using multiple MFA methods: (Phone App. fraud alerts. Call or SMS Mobile. Office.

Improve security posture with cloud services Security and Usage Reporting • Large multi-national enterprise • Frequent target of attempts to gain unauthorized access to employee accounts • Features used • Anomaly detection: credential sharing credential misuse/loss brute force attacks access from behind anonymizers • Machine learning • Detection of attacks spanning organizations • Investigate sign in activity and devices • Admin Notifications • Download data for offline analysis .

etc. in Office 365 and other applications • Applications can extend Windows Azure AD schema • Read & write attributes which are useful to other applications in the organization • Cross-platform support • Web applications and web APIs can run on Windows Azure or other infrastructure • Native client applications can run on iOS. OpenID Connect. web APIs.Rapidly develop and deploy new enterprise capabilities • Write custom LOB applications that integrate with Windows Azure AD • Website applications. and Windows • Open Standards • SAML. calendar. Android.0. OAuth 2. Odata 3. and native client applications • Users sign in to AD-integrated applications with their cloud identities • Single sign-on with Office 365 and other services that use Windows Azure AD • AD-integrated applications can access Office 365 and other web APIs • Write powerful applications that access email. files.0 . contacts.

up to 500K Objects Yes .No Limit User/Group Management Yes Yes SSO to pre-integrated SAAS Applications /Custom Apps Yes Yes Directory Synchronization Tool (WSAD Extension) Yes Yes User-Based access management/provisioning Yes Yes Directory as a Service Group-based access management/provisioning Yes Self-Service Group Management for cloud users Yes Self-Service Change Password for cloud users Yes Self-Service Reset Password for cloud users Security Reports Multi-Factor Authentication Yes Yes Yes Yes Yes (MFA related) Advanced Security Reporting (machine learning-based) Yes Usage Reporting Yes Custom Branding (Logon/Access Panel customization) Yes MFA (All available features on Windows Azure and on premises) Yes Yes SLA Yes Yes FIM CAL + FIM Server Yes .Azure Active Directory features comparison AAD Free AAD Premium Yes .

Discussion and Next Steps • Learn More about Azure Active Directory: http://azure.ms/aadforum My contact info – kbrint@microsoft.azure.com/ • Give us feedback via the forums at http://aka.com .com/en-us/solutions/identity/ • Get started with Cloud App Discovery at https://appdiscovery.microsoft.

MICROSOFT CONFIDENTIAL .