Azure Active Directory

for the Hybrid Enterprise

Keith Brintzenhofe
Group Program Manager
Azure AD Identity & Access Management
MICROSOFT CONFIDENTIAL

Agenda
Azure AD and the Hybrid Enterprise
Azure AD Identity & Access Management Scenarios
Azure AD Premium
Q&A

Windows Azure

Azure Active Directory: The Vision

A modern, cloud based identity management service
providing federation, directory services, device
registration, user provisioning, application access
control & data protection.
A natural extension to on premises directories, the
combination of Windows Server AD and Windows
Azure AD lets you secure todays hybrid enterprise.
On-premises and cloud Active Directory
managed as one
Consistent identities for on-premises and cloud
applications
Easy end user experience with single sign on
and self-service features

Azure Active Directory and the Hybrid Enterprise

Self-Service

On-premises and private cloud

Azure Active Directory

Identity Management

HR

Other apps

Sync
Custom
apps

Windows Server
Other Directories Active Directory

SaaS
apps

10,000 + apps

Active Directory Federation Services

Devices

Other Directories

Azure AD Identity and Access Management Scenarios

Simplify access and control of SaaS applications

Reduce IT burden with self-service IAM
Improve security posture with cloud services
Easily meet reporting requirements
Rapidly develop and deploy new enterprise capabilities
Windows Azure

Azure AD directory
management
Manage users in your cloud directory
Management portal

PowerShell
Programmatic Graph API

Assign familiar user names in domains your

organization already uses
Self-service verification of your domains

Integrate with existing directories

Sync users into your cloud directory from a Windows
Server AD, LDAP, or other existing directory
Users can access their cloud resources with their
Windows Server AD username and password

Discover all SaaS apps in use within your organization

Cloud App Discovery
Fortune 500 company with 60,000+ international employees

Worried about corporate data leakage

Departments are adopting multiple subscriptions to SaaS apps

without IT involvement

Need inventory of applications to begin gaining control and to

enable SSO

Features used

Endpoint agent for application discovery with ability to distribute

using SCCM

Interactive dashboard:

View total number of SaaS apps in use

View number of users using SaaS apps

View top SaaS apps with categories in use

See usage graphs for SaaS apps that can be pivoted on users,
web requests or volume of data exchanged with the
application

Drill down into specific applications for targeted information

Easily integrate an application with Azure Active Directory

Simplify access and control of SaaS applications

SaaS App Management
Professional services company, 4500
employees
Interested in Office 365, Workday, Salesforce,
Yammer and other SaaS applications
Needs centralized management of employee
access to SaaS applications

Features used
Windows Azure AD single sign on (SSO) for SaaS
applications
Automated user provisioning and de-provisioning
to SaaS applications
Access Panel at myapps.microsoft.com
Company-branded sign-in and app access
experience

7:37 AM

Simplify access and control of SaaS applications

SaaS App User Provisioning
Fortune 500 company with 100,000+
international employees
Needed automated user provisioning and
deprovisioning to SaaS apps including
ServiceNow
ServiceNow also requires group objects

Features used
Synchronize across on-premises data sources
and into Windows Azure AD
Windows Azure AD provides user and group
provisioning to ServiceNow and other SaaS
apps

Simplify access and control of SaaS applications

Windows Azure AD Connector
Fortune 500 company with 100,000+
international employees
Multiple data sources on-premises
Need to provision users and groups to Windows
Azure AD for control of SaaS

Features used
Synchronize on-premises data sources to
Windows Azure AD
Group-based application assignment in WAAD
Incorporate users from HR sources such as SAP,
PeopleSoft and Oracle

Understand the ROI on SaaS applications

Usage and Business reporting
Large multi-national enterprise
Seeking to evaluate application usage
and access patterns

Features used
Application dashboard

Cross company application usage

Detailed usage for specific apps

Self-service identity and access management

Self-Service Password Reset for Users
University with 20k current students
Existing on-premises password reset
solution in place does not cover
alumni and is difficult to manage

Features used
Reset of on-premises passwords from
the cloud (pwd. writeback to WSAD)
Phone and email verification methods
End-user registration of contact
methods
Customization of helpdesk URL and
branding of Password Reset Portal
with universitys logo

Self-service identity and access management

Custom Branding
Financial services firm with 200+ offices
Needs consistent look-and-feel across
authentication experiences
Already using Office365 and Active
Directory

Features used
Sign-in page branded with company
logo and illustration
Customized help text on sign-in page
Access Panel for end-users customized
with company logo

Self-service identity and access management

Self-Service Group Management
Large multi-national enterprise
Enable distributed group creation and
management

Delegated group management

End users can create groups, assign users
Owner can delegate ownership

Self-service group management

Users can search for groups and request to
join
Owner approves requests
Groups can be set to auto-approve

Improve security posture with cloud services

Multi-Factor Authentication
Local government agency
Protect access to sensitive applications
Avoid end user lock out using multiple MFA
methods: (Phone App, Call or SMS Mobile,
Office, or alternate phone)

Features used
Targeted MFA for sensitive accounts
Customization of MFA greetings, fraud alerts,
one time bypass capabilities
End-user self-service enrollment

Audit reports for MFA activity

Whitelisting IP Addresses to bypass MFA from
Corpnet
Remember this device feature to require MFA
only from un-trusted devices

Improve security posture with cloud services

Security and Usage Reporting

Large multi-national enterprise

Frequent target of attempts to gain
unauthorized access to employee
accounts
Features used
Anomaly detection:
credential sharing
credential misuse/loss
brute force attacks
access from behind anonymizers

Machine learning
Detection of attacks spanning
organizations
Investigate sign in activity and devices
Admin Notifications
Download data for offline analysis

Rapidly develop and deploy new enterprise capabilities

Write custom LOB applications that integrate with Windows Azure AD
Website applications, web APIs, and native client applications

Users sign in to AD-integrated applications with their cloud identities

Single sign-on with Office 365 and other services that use Windows Azure AD

AD-integrated applications can access Office 365 and other web APIs
Write powerful applications that access email, calendar, contacts, files, etc. in
Office 365 and other applications

Applications can extend Windows Azure AD schema

Read & write attributes which are useful to other applications in the organization

Cross-platform support
Web applications and web APIs can run on Windows Azure or other infrastructure
Native client applications can run on iOS, Android, and Windows

Open Standards
SAML, OAuth 2.0, OpenID Connect, Odata 3.0

Azure Active Directory features comparison

AAD Free

AAD Premium

Yes - up to 500K Objects

Yes - No Limit

User/Group Management

Yes

Yes

SSO to pre-integrated SAAS Applications /Custom Apps

Yes

Yes

Directory Synchronization Tool (WSAD Extension)

Yes

Yes

User-Based access management/provisioning

Yes

Yes

Directory as a Service

Group-based access management/provisioning

Yes

Self-Service Group Management for cloud users

Yes

Self-Service Change Password for cloud users

Yes

Self-Service Reset Password for cloud users

Security Reports

Multi-Factor Authentication

Yes
Yes

Yes

Yes

Yes (MFA related)

Advanced Security Reporting (machine learning-based)

Yes

Usage Reporting

Yes

Custom Branding (Logon/Access Panel customization)

Yes

MFA (All available features on Windows Azure and on premises)

Yes

Yes

SLA

Yes

Yes

FIM CAL + FIM Server

Yes

Discussion and Next Steps

Learn More about Azure Active Directory:
http://azure.microsoft.com/en-us/solutions/identity/
Get started with Cloud App Discovery at
https://appdiscovery.azure.com/
Give us feedback via the forums at http://aka.ms/aadforum
My contact info kbrint@microsoft.com

MICROSOFT CONFIDENTIAL