scu berlín | cloud identity for maximum productivity
TRANSCRIPT
Diana Carolina Torres Viasús
MVP, IT Consultor
UNAD
@CarolinaTV
Pete Zerger
MVP, Principal Program Manager
Cireson
@PZerger
Office 365 identity models
Managing identities
Strong authentication (MFA)
Securely publishing applications
Connecting devices
Conditional Access
Azure AD Identity Protection
Identity as the core of enterprise mobility
Single sign-on
Microsoft Azure Active Directory
Self-service
Simple connection
On-premises
Other directories
Windows ServerActive Directory
SaaSAzure
Publiccloud
Cloud
Enable users to access company data from anywhere
On-Premises Apps
(e.g. HR or SharePoint)
Custom Web or Native Apps
(e.g. Mobile App or LOB App)
SaaS apps
(e.g. Concur or Salesforce)
OTHER DIRECTORIES
2500+ pre-integrated popular
SaaS apps and self-service integration via
templates
Connect and sync on-premises directories
with Azure
Easily publish on-premises web apps via
Application Proxy + custom apps
Microsoft Azure AD
Co
rpo
rate
n
etw
ork
Microsoft AzureActive Directory
Connectors are deployed usually on corpnet next to resources
Multiple connectors can be deployed for redundancy, scale, multiple sites, and different resources
Users connect to the cloud service that routes their traffic to resources via the connectors
A connector that auto-connects to the cloud service
DM
Z
https://app1-
contoso.msappproxy.net/Application Proxy
http://app1
Easily and securely publish modern and legacy on-prem apps
Zero on-premises servers
On-premises Identity
On-premises Identity
FederationDirectory sync
Directory sync with password sync
Microsoft AzureActive Directory
Microsoft Azure
Identity synchronization with password (hash) sync
Identity synchronization
User attributes are synchronized using
identity synchronization services,
including a hash of the Active
Directory password hash;
authentication is completed against
Azure Active Directory
User attributes are synchronized using
identity synchronization tools;
authentication is passed back through
federation and completed against
Windows Server Active Directory
ADFS
Syn
ch
ron
ized
Fed
era
ted
Identity models leveraging on-premises investments
Azure Active Directory Connect
ADFS
Sync engine
Azure Active Directory Connect
Consolidated deployment assistant for your identity bridge components.
All currently available sync engines will be replaced by the sync engine included in the Connect tool.
Assisted deployment of ADFS will be available through Azure Active Directory Connect.
ADFS is an optional component for authentication in hybrid implementation. Password sync can replace ADFS for more scenarios.
DirSync
Azure Active Directory Sync
FIM+Azure Active Directory Connector
ADFS
What is synchronized? What is not synchronized? DirSync WriteBack?
• All Users• Groups• Mail-enabled objects
Objects added, deleted or modified on premises are
reflected in Office 365
• Built-in administrative accounts and group
• Default Active Directory administrative groups
• Default Exchange administrative groups
• Exchange System mailbox accounts
In hybrid deployments, a handful of properties are written back to on-premises AD to support message routing and some advanced features
with Azure Active Directory Connect
DemoConfiguring Azure Active Directory Connect
A standalone Azure identity and
access management service, also
included in Azure Active Directory
Premium
Prevents unauthorized access to
both on-premises and cloud applications
by providing an additional level of
authentication
Used by thousands of enterprises
to authenticate billions of user requests
per day
How does MFA work?
Windows
App
Proxy
PERIMETER
(DMZ)
ADFS / MFA
Active Directory
SharePoint Farm
1
2
3
45
67
89
Azure MFA
Service
1. User connects to resource that is configured for MFA 2. Authentication request goes to the MFA Server3. MFA Server reaches out to identity provider (AD, in our case)4. Identity provider (AD) returns authentication response to MFA Server5. MFA Server reaches out to the cloud MFA Service6. Cloud MFA Service performs 2nd factor auth with user device/phone7. User responds to authentication call / mobile notification / request for code8. If 2nd factor auth is successful, Cloud MFA Service responds to MFA
Server with success9. Server responds to requesting resource with successful authentication10. User accesses resource (SharePoint via WAP/ADFS)
CORPORATE
NETWORK
AZURE
Azure combines previous
authenticator apps into a new app
which works with both Microsoft
accounts and Azure AD accounts
Best in breed MFA experience through one-click push notifications
Support for wearables
Fingerprints instead of passcodes
Certificate-based authentication
Multi-factor Authentication for AAD & Microsoft Accounts
MONITOR AND PROTECT
MFA for Office 365/Azure
Administrators
Azure Multi-Factor
Authentication
Administrators can enable/enforce MFA to end users Yes Yes
Use mobile app (online and OTP) as second authentication factor Yes Yes
Use phone call as second authentication factor Yes Yes
Use SMS as second authentication factor Yes Yes
Application passwords for non-browser clients (e.g., Outlook, Lync) Yes Yes
Default Microsoft greetings during authentication phone calls Yes Yes
Suspend MFA from known devices Yes Yes
Custom greetings during authentication phone calls Yes
Fraud alert Yes
MFA SDK Yes
Security reports Yes
MFA for on-premises applications/ MFA server Yes
One-time bypass Yes
Block/Unblock users Yes
Customizable caller ID for authentication phone calls Yes
Event confirmation Yes
Trusted IPs Yes
DemoConfiguring Multi-factor Authentication
Intune/MDM
auto-enrollment
Azure Active Directory Join makes it
possible to connect work-owned
Windows 10 devices to your
company’s Azure Active Directory
Enterprise-compliant services
SSO from the desktop to cloud and on-premises applications with no VPN
Support for hybrid environments
MDM auto-enrollmentWindows 10 Azure AD
joined devices
DemoWindows 10 Domain Join
On-premises
applications
APPLICATION
Per app policy
Type of client
Business sensitivity
OTHER
Network location
Risk profile
DEVICES
Are domain joined
Are compliant
Platform type (Windows,
iOS, Android)
USER ATTRIBUTES
User identity
Group memberships
Auth strength (MFA)
• Allow
• Enforce MFA
• Block
Brute force attacks
Leaked credentials
Infected devices
Suspicious sign-in activities
Configuration vulnerabilities
with AAD Conditional Access
DemoConfiguring Conditional Access
Public Preview
Your Perimeter Mobility External SharingCompany Internal Managed Devices External Sharing
11001010100001110101
11001010100001110101
CLASSIFY
PROTECTMONITOR
RESPOND
The integration of Azure RMS and Secure Islands for comprehensive, information protection solution that protects data at every stage.
Data
LABELFILE
http://bit.ly/2bFoIVl
Azure AD Premium offers multiple
options for managing identities
You can manage and monitor
access across devices for users in
the office or remote
Data security and sovereignty can
be assured
Sign up for your free Azure and Azure AD
Premium trial and test for yourself