EXPERTS LIVE SUMMER NIGHT Hybrid Identity de paraplu in de cloud Robbert van der Zwan TSP EM+S Netherlands
EXPERTS LIVE SUMMER NIGHT Robbert van der Zwan Robbert works as an Enterprise Mobility and Security (EM+S) Technical Solution Professional (TSP) for Microsoft in the Netherlands.
Identity and access management User and entity behavioral analytics Mobile device and app management Information protection Cloud and SaaS app security Azure Active Directory Premium Advanced Threat Analytics Intune Azure Information Protection Cloud App Security Enterprise Mobility + Security (EMS)
Identity as the control plane Windows Server Active Directory On-premises
Identity as the control plane Customers Partners Azure SaaS Windows Server Active Directory Public cloud Cloud BYO On-premises VPN
Identity as the control plane Customers Partners Azure SaaS Azure Windows Server Active Directory Public cloud Cloud Public cloud Cloud BYO On-premises VPN
Azure AD as the control plane Customers Partners Azure Windows Server Active Directory Microsoft Azure Active Directory Public cloud Cloud On-premises A modern identity management system spanning cloud and on-premises, providing federation, identity management, device registration, user provisioning, application access control & data protection.
Identity synchronization with password (hash) sync Microsoft Azure Active Directory User attributes are synchronized using identity synchronization services, including a password hash; authentication is completed against Azure Active Directory Identity synchronization Microsoft Azure User attributes are synchronized using identity synchronization tools; authentication is passed back through federation and completed against Windows Server Active Directory ADFS
1000s OF APPS, 1 IDENTITY Identity + Password (Hash) synchronization Microsoft Azure Active Directory User Azure Active Directory authenticates user Identity + Password Hash synchronization
1000s OF APPS, 1 IDENTITY Identity synchronization + ADFS Microsoft Azure Active Directory User Identity synchronization Authentication passed to Windows Server Active Directory via ADFS ADFS
1000s OF APPS, 1 IDENTITY Identity synchronization + Pass-through authentication with Seamless SSO Microsoft Azure Active Directory User Identity synchronization Authentication passed to Windows Server Active Directory via Pass-through authentication Pass-through authentication Seamless SSO Pass-through authentication agent
1000s OF APPS, 1 IDENTITY How it works User Microsoft Azure Active Directory Security Token 61 Service Token User Name returned to the 25 user and or further proofs (MFA) password are initiated Connector notified returns of result request Contoso Corpnet 34 Connector DC returns validates result the credentials against AD Connector
1000s OF APPS, 1 IDENTITY How seamless SSO works with Pass-through authentication and Password hash synchronization Microsoft Azure Active Directory Security Token Service Contoso Corpnet 15 26 User Token 401 response sends enters returned ticket their to to get username to the Azure a Kerberos AD or further STS ticketproofs (MFA) are initiated User 34 User AD returns requests Kerberos a Kerberos ticket ticket
1000s OF APPS, 1 IDENTITY More options than ever! Identity Synchronization + Password Hash Synchronization+ Seamless SSO Microsoft Azure Active Directory Identity Synchronization + ADFS Identity Synchronization + Pass-through Authentication + Seamless SSO User Seamless SSO ADFS Seamless SSO Identity synchronization Identity + Password Hash synchronization Identity synchronization Pass-through Authentication
1000s OF APPS, 1 IDENTITY Azure Active Directory Connect DirSync Azure Active Directory Sync FIM+Azure Active Directory Connector ADFS Azure Active Directory Connect Sync engine ADFS Consolidated deployment assistant for your identity bridge components. All currently available sync engines will be replaced by the sync engine included in the Connect tool. Assisted deployment of ADFS will be available through Azure Active Directory Connect. ADFS is an optional component for authentication in hybrid implementation. Password sync can replace ADFS for more scenarios.
Identity as the core of enterprise mobility Azure Active Directory as the control plane Windows Server Active Directory Customers Partners Other directories Self-service Single sign-on Azure SaaS Simple connection Public cloud On-premises Microsoft Azure Active Directory Cloud
Your Directory on the cloud Other Directories Microsoft Azure Active Directory SaaS apps
Access even more on-premises web applications https://appx-contoso.msappproxy.net/ Microsoft Azure Active Directory Application Proxy connect or Azure or 3 rd Party IaaS DMZ User connector connector connector app app app app Other LoB apps
ENABLE BUSINESS WITHOUT BORDERS Other organization Add B2B users with accounts in other Azure AD organizations 3 rd party apps Microsoft Azure Active Directory SharePoint Online and Office 365 apps Add B2B users with MSA, Google, or other Identity Provider accounts Assign B2B users access to any app or service your organization owns Azure AD and Office 365 groups Google ID Microsoft Account Other Identity Providers LOB apps Legend dashed silhouette: user account in the resource tenancy uses an external identity for authentication
Multi-factor authentication Data encryption User accounts Device log-ins Malware Unauthorized data access Attacks User log-ins Phishing Denial of service Enterprise security System updates
CLOUD-POWERED PROTECTION Identity Protection at its best Gain insights from a consolidated view of machine learning based threat detection Infected devices Brute force attacks Configuration vulnerabilities Leaked credentials Suspicious signin activities Riskbased policies Remediation recommendations MFA Challenge Risky Logins Risk severity calculation Risk-based conditional access automatically protects against suspicious logins and compromised credentials Machine-Learning Engine Change bad credentials Block attacks
CLOUD-POWERED PROTECTION Use the power of Identity Protection in PowerBI, SIEM and other monitoring tools Infected devices Brute force attacks Configuration vulnerabilities Leaked credentials Suspicious signin activities Notifications Security/Monitoring/Reporting Solutions Data Extracts/Downloads Reporting APIs Microsoft machine - learning engine Apply Microsoft learnings to your existing security tools
Click to edit Master title style Control access to data based on real-time context Conditional access allows you to define policies that provide contextual controls at the user, location, device, and app levels. As conditions change, natural user prompts ensure that only the right users on compliant devices can access sensitive data. Conditions Location (IP range) Device compliancy state Actions Allow Enforce MFA Remediate Cloud applications On premises applications User User group Risk Block access Wipe device Azure Active Directory Premium Microsoft Intune Microsoft Intelligent Security Graph
Demo - PTA & Conditional Access Policy Conditions User Group membership User Risk Session Risk Device OS Type: ios, Android, Windows, Mac Device Compliance state, Domain join status Device Risk Application App Type: Mobile app, Browser or Desktop app Application identity Location IP Range Security Signals Microsoft Digital Crimes Unit Microsoft Cybercrime Center Machine Learning AI-based on billions of Azure AD authentications/day Device state Microsoft Intune
EXPERTS LIVE SUMMER NIGHT Next session 18:00-18:45uur Azure Information Protection Lisanne Brons & Raymond van t Hag