Diana Carolina Torres Viasús

MVP, IT Consultor

UNAD

@CarolinaTV

Pete Zerger

MVP, Principal Program Manager

Cireson

@PZerger

Office 365 identity models

Managing identities

Strong authentication (MFA)

Securely publishing applications

Connecting devices

Conditional Access

Azure AD Identity Protection

Identity as the core of enterprise mobility

Single sign-on

Microsoft Azure Active Directory

Self-service

Simple connection

On-premises

Other directories

Windows ServerActive Directory

SaaSAzure

Publiccloud

Cloud

Enable users to access company data from anywhere

On-Premises Apps

(e.g. HR or SharePoint)

Custom Web or Native Apps

(e.g. Mobile App or LOB App)

SaaS apps

(e.g. Concur or Salesforce)

OTHER DIRECTORIES

2500+ pre-integrated popular

SaaS apps and self-service integration via

templates

Connect and sync on-premises directories

with Azure

Easily publish on-premises web apps via

Application Proxy + custom apps

Microsoft Azure AD

Co

rpo

rate

n

etw

ork

Microsoft AzureActive Directory

Connectors are deployed usually on corpnet next to resources

Multiple connectors can be deployed for redundancy, scale, multiple sites, and different resources

Users connect to the cloud service that routes their traffic to resources via the connectors

A connector that auto-connects to the cloud service

DM

Z

https://app1-

contoso.msappproxy.net/Application Proxy

http://app1

Easily and securely publish modern and legacy on-prem apps

Zero on-premises servers

On-premises Identity

On-premises Identity

FederationDirectory sync

Directory sync with password sync

Microsoft AzureActive Directory

Microsoft Azure

Identity synchronization with password (hash) sync

Identity synchronization

User attributes are synchronized using

identity synchronization services,

including a hash of the Active

Directory password hash;

authentication is completed against

Azure Active Directory

User attributes are synchronized using

identity synchronization tools;

authentication is passed back through

federation and completed against

Windows Server Active Directory

ADFS

Syn

ch

ron

ized

Fed

era

ted

Identity models leveraging on-premises investments

Azure Active Directory Connect

ADFS

Sync engine

Azure Active Directory Connect

Consolidated deployment assistant for your identity bridge components.

All currently available sync engines will be replaced by the sync engine included in the Connect tool.

Assisted deployment of ADFS will be available through Azure Active Directory Connect.

ADFS is an optional component for authentication in hybrid implementation. Password sync can replace ADFS for more scenarios.

DirSync

Azure Active Directory Sync

FIM+Azure Active Directory Connector

ADFS

What is synchronized? What is not synchronized? DirSync WriteBack?

• All Users• Groups• Mail-enabled objects

Objects added, deleted or modified on premises are

reflected in Office 365

• Built-in administrative accounts and group

• Default Active Directory administrative groups

• Default Exchange administrative groups

• Exchange System mailbox accounts

In hybrid deployments, a handful of properties are written back to on-premises AD to support message routing and some advanced features

with Azure Active Directory Connect

DemoConfiguring Azure Active Directory Connect

A standalone Azure identity and

access management service, also

included in Azure Active Directory

Premium

Prevents unauthorized access to

both on-premises and cloud applications

by providing an additional level of

authentication

Used by thousands of enterprises

to authenticate billions of user requests

per day

How does MFA work?

Windows

App

Proxy

PERIMETER

(DMZ)

ADFS / MFA

Active Directory

SharePoint Farm

1

2

3

45

67

89

Azure MFA

Service

1. User connects to resource that is configured for MFA 2. Authentication request goes to the MFA Server3. MFA Server reaches out to identity provider (AD, in our case)4. Identity provider (AD) returns authentication response to MFA Server5. MFA Server reaches out to the cloud MFA Service6. Cloud MFA Service performs 2nd factor auth with user device/phone7. User responds to authentication call / mobile notification / request for code8. If 2nd factor auth is successful, Cloud MFA Service responds to MFA

Server with success9. Server responds to requesting resource with successful authentication10. User accesses resource (SharePoint via WAP/ADFS)

CORPORATE

NETWORK

AZURE

Azure combines previous

authenticator apps into a new app

which works with both Microsoft

accounts and Azure AD accounts

Best in breed MFA experience through one-click push notifications

Support for wearables

Fingerprints instead of passcodes

Certificate-based authentication

Multi-factor Authentication for AAD & Microsoft Accounts

MONITOR AND PROTECT

MFA for Office 365/Azure

Administrators

Azure Multi-Factor

Authentication

Administrators can enable/enforce MFA to end users Yes Yes

Use mobile app (online and OTP) as second authentication factor Yes Yes

Use phone call as second authentication factor Yes Yes

Use SMS as second authentication factor Yes Yes

Application passwords for non-browser clients (e.g., Outlook, Lync) Yes Yes

Default Microsoft greetings during authentication phone calls Yes Yes

Suspend MFA from known devices Yes Yes

Custom greetings during authentication phone calls Yes

Fraud alert Yes

MFA SDK Yes

Security reports Yes

MFA for on-premises applications/ MFA server Yes

One-time bypass Yes

Block/Unblock users Yes

Customizable caller ID for authentication phone calls Yes

Event confirmation Yes

Trusted IPs Yes

DemoConfiguring Multi-factor Authentication

Intune/MDM

auto-enrollment

Azure Active Directory Join makes it

possible to connect work-owned

Windows 10 devices to your

company’s Azure Active Directory

Enterprise-compliant services

SSO from the desktop to cloud and on-premises applications with no VPN

Support for hybrid environments

MDM auto-enrollmentWindows 10 Azure AD

joined devices

DemoWindows 10 Domain Join

On-premises

applications

APPLICATION

Per app policy

Type of client

Business sensitivity

OTHER

Network location

Risk profile

DEVICES

Are domain joined

Are compliant

Platform type (Windows,

iOS, Android)

USER ATTRIBUTES

User identity

Group memberships

Auth strength (MFA)

• Allow

• Enforce MFA

• Block

Brute force attacks

Leaked credentials

Infected devices

Suspicious sign-in activities

Configuration vulnerabilities

with AAD Conditional Access

DemoConfiguring Conditional Access

Public Preview

Your Perimeter Mobility External SharingCompany Internal Managed Devices External Sharing

11001010100001110101

11001010100001110101

CLASSIFY

PROTECTMONITOR

RESPOND

The integration of Azure RMS and Secure Islands for comprehensive, information protection solution that protects data at every stage.

Data

LABELFILE

http://bit.ly/2bFoIVl

Azure AD Premium offers multiple

options for managing identities

You can manage and monitor

access across devices for users in

the office or remote

Data security and sovereignty can

be assured

Sign up for your free Azure and Azure AD

Premium trial and test for yourself