The current reality
Identity as the core of enterprise mobility Azure Active Directory as the control plane Windows Server Active Directory Customers Partners Other directories Self-service Single sign-on Azure SaaS Simple connection Public cloud On-premises Microsoft Azure Active Directory Cloud
1000s OF APPS, 1 IDENTITY More options than ever! Identity Synchronization + Password Hash Synchronization+ Seamless SSO Identity Synchronization + ADFS Identity Synchronization + Pass-through Authentication + Seamless SSO Microsoft Azure Active Directory User Seamless SSO ADFS Seamless SSO Identity synchronization Identity + Password Hash synchronization Identity synchronization Pass-through Authentication
1000s OF APPS, 1 IDENTITY How it works User Microsoft Azure Active Directory Security Token 61 Service Token User Name returned to the user and password further proofs 25 (MFA) are initiated Connector notified returns of result request Contoso Corpnet 34 Connector DC returns validates result the credentials against AD Connector
1000s OF APPS, 1 IDENTITY How seamless SSO works with Pass-through authentication and Password hash synchronisation Microsoft Azure Active Directory Security Token Service Contoso Corpnet 15 26 User Token 401 response sends enters returned ticket their to to get username to the Azure a Kerberos AD or further STS ticket proofs (MFA) are initiated User 34 User AD returns requests Kerberos a Kerberos ticket ticket
Azure AD Connect B2B collaboration Provisioning- Deprovisioning Conditional Access SSO to SaaS Self-Service capabilities Connect Health Multi-Factor Authentication Addition of custom cloud apps! O365 Group Expiration Dynamic Groups Identity Protection Azure Active Directory Remote Access to on-premises apps Azure AD B2C Group-Based Licensing Privileged Identity Management Microsoft Authenticator - Password-less Access Azure AD Join MDM-auto enrollment / Enterprise State Roaming Security Reporting Azure AD DS Access Panel/MyApps HR App Integration Governance
CLOUD-POWERED PROTECTION Because Who are you? is not enough Conditions Actions User User, App sensitivity Device state Location Risk Allow access or Enforce MFA per user/per app Block access MFA
Azure AD Reporting Infected devices Brute force attacks Configuration vulnerabilities Leaked credentials Activity Suspicious signin activities Sign-in activities Security Risky sign-ins Audit logs Users flagged for risk Notifications Reporting Solutions Data Extracts/Downloads Reporting APIs Apply Microsoft learnings to your existing security tools Microsoft machine - learning engine
Azure AD Machine learning + secret sauce Azure AD Premium provides more reports and more data available to perform investigations
Azure AD Assigning licenses, the easy way Licenses can be assigned using any security group, cloud or synced from AD All Microsoft Online Services that require user-level licensing are supported Individual SKUs can be disabled, i.e.: Office 365 except Skype Dynamic Groups can be used, for example: DG-O365-GBL: CustomAttribute10 contains O365 -> O365E3 License DG-EMS-GBL: CustomAttribute10 contains EMS -> EMSE3 License User1: CustomAttribute10 = EMS;O365 https://docs.microsoft.com/en-us/azure/active-directory/active-directory-licensing-group-migration-azure-portal
The process
Azure AD Spring cleaning time! O365 Groups have been really popular, however with no control numbers can grow quickly. AADP now allows to configure an O365 Group expiration policy
MANAGE ACCESS AT SCALE Monitor and gain insights into the identity infrastructure used to extend on-premises identities to Azure Active Directory and Office 365. Monitor: The Azure AD Connect sync engine health ADFS infrastructure health On-premises AD Domain Services health
Azure Active Directory Connect Health Portal