Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Networking

1-Identity

advertisement 
Module 1: Managing Identity
Enterprise Device Infrastructure Camp
Dan Stolts
Chief Technology Strategist
Microsoft
ITProGuru@Microsoft.com Twitter: @ITProGuru
Corporate Identity Comes from Many Sources
HR
System
givenName
surname
Samantha
Dearing
employeeID
007
Database
title
Coordinator
Exchange
e-mail
samd@contoso.com
LDAP
telephone
555-123-4567
Identity attributes are often
located in multiple repositories
SQL Web Services PowerShell
(ODBC) (SOAP, JAVA, REST) LDAP v3
Forefront Identity Manager creates a
compilation of these attributes with
validation and keeps this in sync with
all identity realms
givenName Samantha
surname
Dearing
title
Coordinator
E-mail
samd@contoso.com
employeeID 007
telephone 555-123-4567
?
Identity: Cloud, Sync or Federated?


Cloud identity provides a
solution where all identity
resides in the cloud
Identity sync enables customers
to bridge their existing identity
into the cloud
Federated identity allows
customers to retain all
authentication on-premises


B2B federated identity allows
customers to securely share and
collaborate with each other
comprehensive
Common Identity with Sync and Federation
Synchronization
*Write back of attributes to
support cloud first and coexistence
User attributes are synchronized including the
password hash, Authentication can be completed
against either Azure or Windows Server Active
Directory
Federation
AD FS provides conditional access
to resources, Work Place Join for
device registration and integrated
Multi-Factor Authentication
User attributes are synchronized,
Authentication is passed back through
federation and completed against
Windows Server Active Directory
*Coming Soon
*Direct to cloud identity sync
Web Services
*Coming Soon
LDAP v3
(SOAP, JAVA, REST)
Azure Active Directory Sync provides
the ability to sync disparate onpremises identity repositories directly to
Azure Active Directory
PowerShell
SQL
(ODBC)
Developers can leverage Microsoft Azure
Mobile Services to integrate and enhance their
apps.
Active Directory integrated
Use conditional access for granular
control over how and where the app
can be accessed.
Published apps
Devices
Users can access corporate
apps and data wherever they
are.
Organizations can federate
with partners and other
organizations for seamless
access to shared resources
Apps and data
IT can use the Web
Application Proxy to
authenticate users and
devices with Multi-Factor
Authentication
Active Directory provides the
central repository of user identity
as well as device registration
information.
23
Example Workload: Single sign-on to Office 365 and Microsoft Intune
Directory Sync
When an Active Directory user logs
on, their synchronized credentials
are used to authenticate against
Azure Active Directory
Cloud Identity
A user with a cloud only identity can sign in
to Office 365 and Microsoft Intune using their
Azure Active Directory credentials
Federated Identity
When an Active Directory user logs
on, the authentication is passed
back and validated against Windows
Server Active Directory
A stand-alone Azure Identity and Access
management service also included in
Azure Active Directory Premium
Prevents unauthorized access to both onpremises and cloud applications by
providing an additional level of
authentication
Trusted by thousands of enterprises to
authenticate employee, customer, and
partner access.
MFA for Office 365/Azure
Administrators
Administrators can Enable/Enforce MFA to end-users
Use Mobile app (online and OTP) as second authentication factor
Use Phone call as second authentication factor
Use SMS as second authentication factor
Application passwords for non-browser clients (e.g. Outlook, Lync)
Default Microsoft greetings during authentication phone calls
Custom greetings during authentication phone calls
Fraud alert
MFA SDK
Security Reports
MFA for on-premises applications/ MFA Server.
One-Time Bypass
Block/Unblock Users
Customizable caller ID for authentication phone calls
Event Confirmation
Azure Multi-Factor
Authentication
Self-service experiences on-premises
Users can edit their profile
details to update and add
missing information
Users can reset their passwords
significantly reducing help desk
burden and costs.
Users can onboard new users
and contractors into their
teams and provide access to
required resources
Self-service group
management, including
dynamic membership
calculation in these groups
and distribution lists, based
on the user’s attributes.
All changes and updates are
workflow and policy driven with
approval routing as appropriate
Self-service experiences in the cloud
Users can manage access requests
through self-service group management
Users can edit their profile
details to update and add
missing information
Users can easily access the SaaS
apps they need, using their
existing Active Directory
credentials.
Self Service Password
change and reset for
cloud users
Leverage existing
investments in Active Directory
for a single set of user
credentials
Domain Joined
Unknown
Start
Active Directory
No control
Partial control
Full control
No access
Partial access
SSO
Full access
Organization
End-user
Workplace
Join &
Device
Registration
Service
Lightweight registration process for
personal devices
Enables access to data when using a registered,
trusted device; leverages the user and device
identities together
Used with Dynamic Access Control in Windows
Server 2012 R2
Primarily a security capability, potentially
combined with MDM for manageability
Irwin on an unknown device
Start
Irwin is authenticated
AD FS
Apps
AD FS
Apps
Irwin on his Workplace Joined device
Start
Irwin is authenticated
Irwin’s device is authenticated
Device authentication
• Establishes an identity for the device
• Seamless for the end-user: Done using client TLS, handled by the device OS platform, transparent to user.
• Compound identity (‘user@device’): Provides second factor authentication
• Validates device identity – resources can be restricted to prevent access from unknown devices.
2
Start
3
Start
Supported platforms
Windows 8.1+
iOS 6+
Active Directory
Android – Samsung KNOX
Windows 7 Pro (domain-joined)
DRS – Device Registration Service
Start
Authenticate user
Register device
Azure DRS
Device registered,
install device certificate
Create device object in AD,
associate user with device
Start
Azure AD
Workplace Join using the Azure AD Device Registration Service (Azure DRS)
•
•
•
•
Enables end-users to join their BYOD devices to the workplace
Recommended for customers who have hybrid deployments (resources across on-premises & the cloud).
No need to deploy DRS on-premises
Device objects need to be synchronized to on-premises directory using DirSync to enable conditional access control onpremises
LAB:
Workplace Join (LAB4 during lunch)
complete the tasks in the Before you begin section of
E202B before attempting LAB
Network
Connections
HomeGroup
Proxy
Radio devices
Workplace
Workplace
Enter your user ID to get workplace access or turn on device management
someone@example.com
Join your workplace network so that you can use network resources like internal
websites and business apps.
Join
Apps and services from IT
Turn on
Workplace Join for Windows 7
http://technet.microsoft.com/en-us/library/dn609827.aspx
Lab 5 (complete “Before you begin”)
Workplace Join on Windows 7
Scenario: SharePoint with conditional access & MFA
Users can connect to a published on-premises SharePoint
server that has been integrated with AD FS.
Through conditional access policies we can enforce additional
authentication and authorization requirements, such as device
registration.
With integrated MFA, AD FS facilitates the device
registration process and allows the user to continue and gain
access to the SharePoint site.
Surface
&
IPad
How to access the labs: IME3065
Navigate to:
https://cloud.holsystems.com/ITCamp.
On the portal landing page, select Login with Microsoft
Account, as shown below(This is your LiveID)
Your attendee lab access event code is:
IME3065
Launch Lab Next to session you
would like to do
Next steps
Download evaluation software
Download free Microsoft software trials today at the TechNet Evaluation Center.
http://aka.ms/CampEval
Learn more
Boost your technical skills with free expert-led technical training on Windows 8 from Microsoft Virtual Academy.
http://aka.ms/CampMVAWin
Get certified
Get hired, get recognized, and get ahead with the MCSA Windows 8 certifications from Microsoft.
http://aka.ms/CampCertWin
Evaluate online
Test Microsoft’s newest products and technologies in a virtual environment for free at the Microsoft Virtual Labs.
http://aka.ms/CampVlabs
Related documents
Windows Azure Active Directory Overview
Windows Azure Active Directory Overview
Getting Started - Microsoft Azure Platform Academic 150 day Pass.ppt
Getting Started - Microsoft Azure Platform Academic 150 day Pass.ppt
Document
Document
Network Services
Network Services
azure-case-study-slide - Cloud Custom Solutions
azure-case-study-slide - Cloud Custom Solutions
Cloud OS Vision Deck Full Version
Cloud OS Vision Deck Full Version
Using Microsoft Cloud
Using Microsoft Cloud
Cloud OS Vision Deck Full Version
Cloud OS Vision Deck Full Version
Windows Server 2012R2 Capabilities for BYOD
Windows Server 2012R2 Capabilities for BYOD
HybridCloudIdentity - Technet Gallery
HybridCloudIdentity - Technet Gallery
Download
advertisement