Global Azure Bootcamp 2017 completed recently across the world with a great success and I got another opportunity to deliver a session on this great event hosted in Chennai, India. Uploaded the Session slide deck for you.
Event URL: https://goo.gl/w8UWiM
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Understanding Azure Active Directory and Enterprise Mobility & Security (EMS)
1. Ravikumar Sathyamurthy | @ShakthiRavi
Microsoft MVP | Office Servers and Services
Understanding Azure Active Directory
and Enterprise Mobility & Security (EMS)
22/04/2017
2.
3. Mobile-first, cloud-first reality
Data breaches
63% of confirmed data breaches
involve weak, default, or stolen
passwords.
63% 0.6%
IT budget growth
Gartner predicts global IT spend
will grow only 0.6% in 2016.
Shadow IT
More than 80 percent of
employees
admit to using non-approved
software as a service (SaaS)
applications in their jobs.
80%
4.
5. Identity as the control plane
On-premises
Windows Server
Active Directory
6. Identity as the control plane
On-premises
Windows Server
Active Directory
VPN
BYO
SaaS
Azure
Cloud
Public
cloud
Customers
Partners
7. Identity as the control plane
On-premises
Windows Server
Active Directory
VPN
BYO
Microsoft Azure Active Directory
Azure
Cloud
Public
cloud
Customers
Partners
8. Customers
Azure AD as the control plane
On-premises
Partners
Azure
Cloud
Public
cloud
Microsoft Azure Active Directory
BYO
Windows Server
Active Directory
9. Identity as the core of enterprise mobility
Single sign-onSelf-service
Simple connection
On-premises
Other
directories
Windows Server
Active Directory
SaaSAzure
Public
cloud
CloudMicrosoft Azure Active Directory
10. A comprehensive identity and
access management cloud
solution.
It combines directory services,
advanced identity governance,
application access management
and a rich standards-based
platform for developers
It is available in 3 editions: free,
Basic and Premium
What is Azure Active Directory?
11. 33,000
Enterprise Mobility +
Security | Azure AD
Premium enterprise
customers
>110k
third-party
applications used
with Azure AD
each month
>1.3
billion
authentications every
day on Azure AD
More than
750 M
user accounts on
Azure AD
Azure AD
Directories
>10 M
>85%
of Fortune 500
companies use
Microsoft Cloud
(Azure, O365, CRM
Online, and PowerBI)
Every Office 365 and Microsoft Azure customer uses Azure Active Directory
• Microsoft “Identity Management as a Service
(IDaaS)” for organizations.
• Millions of independent identity systems
controlled by enterprise and government “tenants.”
• Information is owned and used by the controlling
organization—not by Microsoft.
• Born-as-a-cloud directory for Office 365. Extended
to manage across many clouds.
• Evolved to manage an organization’s relationships
with its customers/citizens and partners (B2C and
B2B).
12. Built on top of the free offering, provides a
robust set of capabilities to empower
enterprises with demanding needs on identity
and access management
Additionally, Azure AD premium offers:
• An Enterprise SLA of 99.9%
• Usage rights to Identity Manager Server
and CALs
Azure Active Directory Premium
Azure AD Editions: http://bit.ly/1gyDRoN
13. Provide one persona to the
workforce for SSO to 1000s of
cloud and on-premises apps
Manage access
at scale
Manage identities and
access at scale in the cloud
and on-premises
Ensure user and admin
accountability with better
security and governance
Enable business
without borders
Stay productive with universal
access to every app and
collaboration capability
Azure Active Directory. Identity at the core of your business
1000s of apps,
1 identity
Cloud-powered
protection
14. Strong support for modern,
cross-platform, cloud-friendly
APIs and protocols
Certification program for third
party federation servers &
services
Actively engaged in standards
bodies: IETF (OAuth, JOSE, SCIM,
ACE, …) OpenID, FIDO, etc.
15. Secure remote access to on-
premises
apps
Single sign
-on to mobile
apps
Support for
lift-and-
shift of
traditional
apps to
the cloud
Provide one persona to the
modern workforce for SSO
to 1000s of cloud and on-
premises applications
Single sign-on
to SaaS apps
1000s of apps,
1 identity
17. Azure Active
Directory Connect
ADFS
Sync engine
Consolidated deployment assistant
for your identity bridge
components.
All currently available sync engines
will be replaced by the sync engine
included in the Connect tool.
Assisted deployment of ADFS will
be available through Azure Active
Directory Connect.
ADFS is an optional component for
authentication in hybrid
implementation. Password sync can
replace ADFS for more scenarios.
DirSync
Azure Active
Directory Sync
FIM+Azure Active
Directory Connector
ADFS
1000s OF APPS, 1 IDENTITY
18. Microsoft Azure
Active Directory
Identity synchronization with
password (hash) sync
Identity
synchronization
User attributes are synchronized using
identity synchronization services,
including a password hash;
authentication is completed against
Azure Active Directory
User attributes are synchronized using
identity synchronization tools;
authentication is passed back through
federation and completed against
Windows Server Active Directory
ADFS
Microsoft Azure
Active Directory
1000s OF APPS, 1 IDENTITY
19. Azure Active Directory Connect
and Connect Health
*
MIM
*
Microsoft Azure
Active Directory
HR apps
OTHER DIRECTORIES
PowerShell
SQL (ODBC)
LDAP v3
Web Services
( SOAP, JAVA, REST)
Connect and sync on-premises
directories with Azure Active Directory
1000s OF APPS, 1 IDENTITY
20. Web apps
(Azure Active Directory
Application Proxy)
Integrated
custom apps
SaaS apps
OTHER DIRECTORIES
2700+ pre-integrated popular
SaaS apps and self-service integration via
templates
Connect and sync on-premises directories
with Azure
Easily publish on-premises web apps via
Application Proxy + custom apps
Microsoft Azure
1000s OF APPS, 1 IDENTITY
21. Corporate
network
Microsoft Azure
Active Directory
Connectors are usually deployed inside the
corpnet next to the applications. They
maintain an out-bound connection to the
service
Multiple connectors can be deployed
for redundancy, scale and access to
different sites
Users connect to the ‘published’ apps
and cloud service routes traffic to the
backend applications via ‘connectors’
DMZ
https://app1-
contoso.msappproxy.net/
Application Proxy
http://app1
Cloud service that allows users to
remotely access on-prem apps from
securely from any device and any place
Different types of web-apps and APIs
can be ‘published’
1000s OF APPS, 1 IDENTITY
22. Azure
Active Directory
Lift-and-shift on-premises
apps to Azure IaaS
On-premises
Azure AD Connect
Windows Server
Active Directory
Your Azure IaaS
workloads/apps
Azure AD
Domain Services
Your virtual network
Azure
Kerberos
NTLM
LDAP
Group Policy
1000s OF APPS, 1 IDENTITY
Your domain controller as a service for lift-and-shift scenarios
26. Enterprise Mobility & Security capabilities
Microsoft
Intune
Mobile device and app
management to protect corporate
apps and data on any device.
Managed Mobile Productivity
Microsoft Advanced Threat
Analytics
Identify suspicious activities &
advanced attacks on premises.
Microsoft
Cloud App Security
Bring enterprise-grade visibility,
control, and protection to your
cloud applications.
Identity Driven SecurityIdentity and access management
Azure Active Directory
Premium P1
Single sign-on to cloud and on-
premises applications. Basic
conditional access security
Azure Active Directory
Premium P2
Advanced risk based identity
protection with alerts, analysis, &
remediation.
Azure Information
Protection Premium P1
Encryption for all files and storage
locations. Cloud based file
tracking
Existing Azure RMS capabilities
Information Protection
Azure Information
Protection Premium P2
Intelligent classification, &
encryption for files shared inside &
outside your organization
Secure Islands acquisition
EMSE3
EMSE5
30. Ease of use
for end usersAny time, any
place productivity
with Windows 10
Better connect
with your
consumers
Enable cross-
organization
collaboration
Enable business
without borders
Stay productive everywhere
with easy access to every
application and powerful
collaboration capabilities
across location, application,
and device borders
31. Intune/MDM
auto-enrollment
Azure Active Directory Join makes it possible
to connect work-owned Windows 10 devices
to your company’s Azure Active Directory
Enterprise-compliant services
SSO from the desktop to cloud and
on-premises applications with no VPN
Support for hybrid environments
MDM auto-enrollment
Windows 10 Azure AD
joined devices
ENABLE BUSINESS WITHOUT BORDERS
Enterprise
State Roaming
32. Manage access
at scale
Advanced user
lifecycle management
Monitor your
identity bridge
Manage identities
at scale in the cloud
and on-premises
Low IT
overhead
33. Centralized access administration for pre-integrated
SaaS apps and other cloud-based apps
Dynamic groups, device registration, secure business
processes with advanced access management capabilities
Comprehensive identity and access management console
IT professional
MANAGE ACCESS AT SCALE
Provisioning and deprovisioning with customization
options
38. Try Enterprise Mobility + Security for free, today:
https://aka.ms/EMSTrial
Read the CIO’s guide to Azure Active Directory
https://aka.ms/AzureADCIOGuide
Explore Identity + Access Management
www.microsoft.com/identity
Learn more from the Azure AD documentation library
https://aka.ms/AzureADDoc
Discover Password best practices
https://aka.ms/PasswordBestPractices
Check out the new Azure AD webinars
https://aka.ms/AADWebinars
Microsoft is a leader in Gartner's IDaaS MQ 2016
https://aka.ms/GartnerIDaaSMQ2016
Review design considerations for your hybrid Azure AD
https://aka.ms/HybridAzureADConsiderations
Microsoft has a solution for this
[Click] Traditional identity and access management solutions providing sing-sign on to on-premises applications and directory services such as Active Directory and others are used from the vast majority of organizations and huge investments were made to deploy and maintain them. These solutions are perfect for the on-premises world.
[Click] Now, as we have discussed, there are new pressing requirements to provide the same experience to cloud applications hosted in any public cloud.
[Click] Azure Active Directory can be the solution to this new challenge by extending the reach of on-premises identities to the cloud in a secure and efficient way.
[Click] In order to do that, one simple connection is needed from on-premises directories to Azure AD.
[Click] and everything else will be handled by Azure AD. Secure single sign-on to thousands of SaaS applications hosted in any cloud by using the same credentials that exist on-premises
[Click] And we don’t forget the users. Azure AD provides Self-service capabilities and easy access to all the application, consumer or business, they need.
in the cloud but on-premises too (Application Proxy)
Case Study
Bristow Group: https://customers.microsoft.com/Pages/CustomerStory.aspx?recid=28655
Case Study
Vetco: https://customers.microsoft.com/Pages/CustomerStory.aspx?recid=29237&fbid=NOFBID&mtag=mbar-twitter
Case Study:
Whole foods
Case Study
St. Luke’s Health System: https://customers.microsoft.com/Pages/CustomerStory.aspx?recid=21651
“Microsoft is consistently and constantly looking out for us from a security perspective. We benefit from its experience in securing millions of users across its cloud assets, from Outlook.com to Xbox Live to Office 365 and Azure. Microsoft is a silent partner on our security team.”
Will Lamb, Infrastructure Coordinator, Whole Foods Market