authentication in motion what is azure multi-factor authentication? an azure identity and access...
TRANSCRIPT
Multi-Factor Authentication Deep Dive: Securing Access On-Premises and in the Cloud
Shawn Bishop, Program ManagerNasos Kladakis, Sr. Product Marketing Manager
EM-B313
Authentication In Motion
What is multi-factor authentication?
Any two or more of the following factors:Something you know: a password or PIN.Something you have: a phone, credit card or hardware token.Something you are: a fingerprint, retinal scan or other biometric.
Stronger when using two different channels (out-of-band).
Hardware token
Certificates Smartcard Phone
01234
What is Azure Multi-Factor Authentication?
An Azure Identity and Access management service that prevents unauthorized access to both on-premises and cloud applications by providing an additional level of authentication
Trusted by thousands of enterprises to authenticate employee, customer, and partner access.
Mobile Apps
How It Works
Phone calls Text messages
ALERT
1 4 5 6 7 6
Microsoft Azure Multi-Factor Authentication flavors
• Azure Multi-Factor Authentication stand-alone
• Included in Azure Active Directory
Premium
• Free for Azure administrators
• A subset of Azure MFA functionality included in Office 365
Azure MFA vs MFA for Office 365MFA for Office 365/Azure
AdministratorsAzure Multi-Factor Authentication
Administrators can Enable/Enforce MFA to end-users Yes Yes
Use Mobile app (online and OTP) as second authentication factor Yes Yes
Use Phone call as second authentication factor Yes Yes
Use SMS as second authentication factor Yes Yes
Application passwords for non-browser clients (e.g. Outlook, Lync) Yes Yes
Default Microsoft greetings during authentication phone calls Yes Yes
Suspend MFA from known devices Yes Yes
Custom greetings during authentication phone calls Yes
Fraud alert Yes
MFA SDK Yes
Security Reports Yes
MFA for on-premises applications/ MFA Server. Yes
One-Time Bypass Yes
Block/Unblock Users Yes
Customizable caller ID for authentication phone calls Yes
Event Confirmation Yes
Trusted IPs Yes
Demo
Sign-in Experience
On-Premises Apps
RADIUSLDAPIIS
RDS/VDI
Multi-FactorAuthenticationServer
Multi-FactorAuthenticationService
Cloud Apps
SAML
Users must also authenticate using their phone or mobile device before access is granted.
2
.NET, Java, PHP…
Users sign in from any device using their existing username/password.
1
Windows Server AD or Other LDAP
Active Directory
Employees
Partners
Customers
SecurityScaleConvenience
01
23
4
No devices or certificates to purchase, provision, and maintain
No end user training is required
Users replace their own lost or broken phones
Users manage their own authentication methods and phone numbers
Integrates with existing directory for centralized user management and automated enrollment
Convenience
Works with all leading on-premises applications
Supports ADFS and SAML-based apps for federation to the cloud
Built into Microsoft Azure Active Directory for use with cloud apps
SDK for integration with custom apps and directories
Reliable, scalable service supports high-volume, mission-critical scenarios
Scale
Security
Strong multi-factor authentication
Real-Time Fraud Alert
PIN option
Reporting and logging for auditing
Enables compliance with NIST 800-63 Level 3, HIPAA, PCI DSS, and other regulatory requirements
Demo
Multi-Factor Set UpCreating A Multi-Factor Authentication ProviderEnabling Microsoft Azure Active Directory UsersIntegration with Azure AD PremiumUsing the On-Premises Multi-Factor Authentication Server
On-Premises Apps
RADIUSLDAPIIS
RDS/VDI
Multi-FactorAuthenticationServer
Multi-FactorAuthenticationService
Cloud Apps
SAML
Users must also authenticate using their phone or mobile device before access is granted.
2
.NET, Java, PHP…
Users sign in from any device using their existing username/password.
1
Windows Server AD or Other LDAP
Active Directory
Putting it all together
Related content
Microsoft Solutions Experience Location (MSE)Find Me Later at @Akladakis #AzureAD
Tue, Oct 28 3:15 PM-4:30 PM EM-B214 Privileged Access Management for Active Directory
Wed, Oct 29 8:30 AM-9:45 AM EM-B316 Directory Integration: Creating One Directory with Active Directory and Azure Active Directory
Wed, Oct 29 3:15 PM-4:30 PM EM-B319 Microsoft Identity Manager vNext Overview
Wed, Oct 29 3:15 PM-4:30 PM CDP-B210 Cloud Identity: Microsoft Azure Active Directory Explained
Wed, Oct 29 5:00 PM-6:15 PM EM-B318 Free Your Apps: Introducing Microsoft Azure Active Directory Application Proxy and Windows Server Web Application Proxy
Thu, Oct 30 10:15 AM-11:30 AM CDP-B312 Microsoft Azure Active Directory Premium, in Depth
Fri, Oct 31 2:45 PM-4:00 PM EM-B313 Microsoft Azure Multi-Factor Authentication Deep Dive: Securing Access on Premises and in the Cloud
Thu, Oct 30 12:00 PM-1:15 PM EM-B310 Active Directory + BYOD = Peace of Mind
Thu, Oct 30 5:00 PM-6:15 PM DEV-B322 Building Web Apps and Mobile Apps Using Microsoft Azure Active Directory for Identity Management
Azure MFA Documentation:
http://azure.microsoft.com/en-us/documentation/services/multi-factor-authentication/
Track resources
MSDN Library : http://msdn.microsoft.com/en-us/library/azure/dn249471.aspx
Resources
Learning
Microsoft Certification & Training Resources
www.microsoft.com/learning
Developer Network
http://developer.microsoft.com
TechNet
Resources for IT Professionals
http://microsoft.com/technet
Sessions on Demand
http://channel9.msdn.com/Events/TechEd
Enterprise Mobility Suitehttp://aka.ms/enterprisemobilitysuite
Microsoft Intunehttp://aka.ms/microsoftintune
Configuration Managerhttp://aka.ms/configmgr
Enterprise Mobility Track Resources
Hybrid Identityhttp://aka.ms/hi
Access & Info Protectionhttp://aka.ms/aip
Desktop Virtualizationhttp://aka.ms/virtualdesktop
TechEd Mobile app for session evaluations is currently offline
SUBMIT YOUR TECHED EVALUATIONSFill out an evaluation via
CommNet Station/PC: Schedule Builder
LogIn: europe.msteched.com/catalog
We value your feedback!
© 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.