Azure Active Directory

for the Hybrid Enterprise
Keith Brintzenhofe
Group Program Manager
Azure AD Identity & Access Management
MICROSOFT CONFIDENTIAL

Agenda
Azure AD and the Hybrid Enterprise
Azure AD Identity & Access Management Scenarios
Azure AD Premium
Q&A

Windows Azure

cloud based identity management service providing federation. device registration. user provisioning. application access control & data protection. A natural extension to on premises directories. • On-premises and cloud Active Directory managed as one • Consistent identities for on-premises and cloud applications • Easy end user experience with single sign on and self-service features . the combination of Windows Server AD and Windows Azure AD lets you secure today’s hybrid enterprise. directory services.Azure Active Directory: The Vision A modern.

000 + apps Active Directory Federation Services Devices Other Directories .Azure Active Directory and the Hybrid Enterprise Self-Service On-premises and private cloud Azure Active Directory Identity Management HR Other apps Sync Custom apps Windows Server Other Directories Active Directory SaaS apps 10.

Azure AD Identity and Access Management Scenarios Simplify access and control of SaaS applications Reduce IT burden with self-service IAM Improve security posture with cloud services Easily meet reporting requirements Rapidly develop and deploy new enterprise capabilities Windows Azure .

Azure AD directory management • Manage users in your cloud directory • Management portal • PowerShell • Programmatic – Graph API • Assign familiar user names in domains your organization already uses • Self-service verification of your domains • Integrate with existing directories • Sync users into your cloud directory from a Windows Server AD. or other existing directory • Users can access their cloud resources with their Windows Server AD username and password . LDAP.

Discover all SaaS apps in use within your organization Cloud App Discovery • Fortune 500 company with 60. web requests or volume of data exchanged with the application • Drill down into specific applications for targeted information • Easily integrate an application with Azure Active Directory .000+ international employees • Worried about corporate data leakage • Departments are adopting multiple subscriptions to SaaS apps without IT involvement • Need inventory of applications to begin gaining control and to enable SSO • Features used • Endpoint agent for application discovery with ability to distribute using SCCM • Interactive dashboard: • View total number of SaaS apps in use • View number of users using SaaS apps • View top SaaS apps with categories in use • See usage graphs for SaaS apps that can be pivoted on users.

com • Company-branded sign-in and app access experience 7:37 AM . Workday.microsoft. Yammer and other SaaS applications • Needs centralized management of employee access to SaaS applications • Features used • Windows Azure AD single sign on (SSO) for SaaS applications • Automated user provisioning and de-provisioning to SaaS applications • Access Panel at myapps.Simplify access and control of SaaS applications SaaS App Management • Professional services company. Salesforce. 4500 employees • Interested in Office 365.

000+ international employees • Needed automated user provisioning and deprovisioning to SaaS apps including ServiceNow • ServiceNow also requires group objects • Features used • Synchronize across on-premises data sources and into Windows Azure AD • Windows Azure AD provides user and group provisioning to ServiceNow and other SaaS apps .Simplify access and control of SaaS applications SaaS App User Provisioning • Fortune 500 company with 100.

000+ international employees • Multiple data sources on-premises • Need to provision users and groups to Windows Azure AD for control of SaaS • Features used • Synchronize on-premises data sources to Windows Azure AD • Group-based application assignment in WAAD • Incorporate users from HR sources such as SAP. PeopleSoft and Oracle .Simplify access and control of SaaS applications Windows Azure AD Connector • Fortune 500 company with 100.

Understand the ROI on SaaS applications Usage and Business reporting • Large multi-national enterprise • Seeking to evaluate application usage and access patterns • Features used • Application dashboard • Cross company application usage • Detailed usage for specific apps .

Self-service identity and access management Self-Service Password Reset for Users • University with 20k current students • Existing on-premises password reset solution in place does not cover alumni and is difficult to manage • Features used • Reset of on-premises passwords from the cloud (pwd. writeback to WSAD) • Phone and email verification methods • End-user registration of contact methods • Customization of helpdesk URL and branding of Password Reset Portal with university’s logo .

Self-service identity and access management Custom Branding • Financial services firm with 200+ offices • Needs consistent look-and-feel across authentication experiences • Already using Office365 and Active Directory • Features used • Sign-in page branded with company logo and illustration • Customized help text on sign-in page • Access Panel for end-users customized with company logo .

Self-service identity and access management Self-Service Group Management • Large multi-national enterprise • Enable distributed group creation and management • Delegated group management • End users can create groups. assign users • Owner can delegate ownership • Self-service group management • Users can search for groups and request to join • Owner approves requests • Groups can be set to auto-approve .

Improve security posture with cloud services Multi-Factor Authentication • Local government agency • Protect access to sensitive applications • Avoid end user lock out using multiple MFA methods: (Phone App. Office. Call or SMS Mobile. or alternate phone) • Features used • Targeted MFA for sensitive accounts • Customization of MFA greetings. one time bypass capabilities • End-user self-service enrollment • Audit reports for MFA activity • Whitelisting IP Addresses to bypass MFA from Corpnet • ‘Remember this device’ feature to require MFA only from un-trusted devices . fraud alerts.

Improve security posture with cloud services Security and Usage Reporting • Large multi-national enterprise • Frequent target of attempts to gain unauthorized access to employee accounts • Features used • Anomaly detection: credential sharing credential misuse/loss brute force attacks access from behind anonymizers • Machine learning • Detection of attacks spanning organizations • Investigate sign in activity and devices • Admin Notifications • Download data for offline analysis .

and native client applications • Users sign in to AD-integrated applications with their cloud identities • Single sign-on with Office 365 and other services that use Windows Azure AD • AD-integrated applications can access Office 365 and other web APIs • Write powerful applications that access email.0. calendar. web APIs. in Office 365 and other applications • Applications can extend Windows Azure AD schema • Read & write attributes which are useful to other applications in the organization • Cross-platform support • Web applications and web APIs can run on Windows Azure or other infrastructure • Native client applications can run on iOS. OAuth 2. Odata 3.0 . etc. files.Rapidly develop and deploy new enterprise capabilities • Write custom LOB applications that integrate with Windows Azure AD • Website applications. Android. contacts. OpenID Connect. and Windows • Open Standards • SAML.

up to 500K Objects Yes .Azure Active Directory features comparison AAD Free AAD Premium Yes .No Limit User/Group Management Yes Yes SSO to pre-integrated SAAS Applications /Custom Apps Yes Yes Directory Synchronization Tool (WSAD Extension) Yes Yes User-Based access management/provisioning Yes Yes Directory as a Service Group-based access management/provisioning Yes Self-Service Group Management for cloud users Yes Self-Service Change Password for cloud users Yes Self-Service Reset Password for cloud users Security Reports Multi-Factor Authentication Yes Yes Yes Yes Yes (MFA related) Advanced Security Reporting (machine learning-based) Yes Usage Reporting Yes Custom Branding (Logon/Access Panel customization) Yes MFA (All available features on Windows Azure and on premises) Yes Yes SLA Yes Yes FIM CAL + FIM Server Yes .

com .microsoft.azure.ms/aadforum My contact info – kbrint@microsoft.com/ • Give us feedback via the forums at http://aka.com/en-us/solutions/identity/ • Get started with Cloud App Discovery at https://appdiscovery.Discussion and Next Steps • Learn More about Azure Active Directory: http://azure.

MICROSOFT CONFIDENTIAL .

Master your semester with Scribd & The New York Times

Special offer for students: Only $4.99/month.

Master your semester with Scribd & The New York Times

Cancel anytime.