cloud app cloud app cloud app separate username/password sign-in manual or semi-automated...
TRANSCRIPT
![Page 1: Cloud app Cloud app Cloud app Separate username/password sign-in Manual or semi-automated provisioning Active Directory App Separate username/password](https://reader035.vdocuments.us/reader035/viewer/2022081512/56649d9c5503460f94a852a1/html5/thumbnails/1.jpg)
Introducción a Azure Active Directory
Javier DominguezPremier Field Engineer (PFE)Microsoft
![Page 2: Cloud app Cloud app Cloud app Separate username/password sign-in Manual or semi-automated provisioning Active Directory App Separate username/password](https://reader035.vdocuments.us/reader035/viewer/2022081512/56649d9c5503460f94a852a1/html5/thumbnails/2.jpg)
Problem Statement
• While enterprises working to consolidate directories on-premises, cloud apps are fragmenting directories… again
Cloudapp
Cloudapp
Cloudapp
Separate username/password sign-inManual or semi-automated provisioning
Active Directory
App
App
AppSeparate username/password sign-inManual or semi-automated provisioning
No direct connection to directory
![Page 3: Cloud app Cloud app Cloud app Separate username/password sign-in Manual or semi-automated provisioning Active Directory App Separate username/password](https://reader035.vdocuments.us/reader035/viewer/2022081512/56649d9c5503460f94a852a1/html5/thumbnails/3.jpg)
History of Azure Active Directory• Office365 services needed
access to customer directories to provide best-in-breed experiences
• Offer identity services to Organizations without on-premises directories
• Run at internet scale
• Offer multi-tenancy
ExchangeOnline
SharePointOnline
LyncOnline
Customer Directories on-premises
? ??
![Page 4: Cloud app Cloud app Cloud app Separate username/password sign-in Manual or semi-automated provisioning Active Directory App Separate username/password](https://reader035.vdocuments.us/reader035/viewer/2022081512/56649d9c5503460f94a852a1/html5/thumbnails/4.jpg)
Windows Azure Active Directory• Active Directory revised to
operate as Internet-scale multi-tenant directory service, built concurrently with Office 365
• Extends Windows Server Active Directory into cloud
• Provides cloud-based directory and identity services for organizations without Windows Server AD
ExchangeOnline
SharePointOnline
LyncOnline
Active Directory
Azure
Active Directory
![Page 5: Cloud app Cloud app Cloud app Separate username/password sign-in Manual or semi-automated provisioning Active Directory App Separate username/password](https://reader035.vdocuments.us/reader035/viewer/2022081512/56649d9c5503460f94a852a1/html5/thumbnails/5.jpg)
Demo
Cloud Directory Management
![Page 6: Cloud app Cloud app Cloud app Separate username/password sign-in Manual or semi-automated provisioning Active Directory App Separate username/password](https://reader035.vdocuments.us/reader035/viewer/2022081512/56649d9c5503460f94a852a1/html5/thumbnails/6.jpg)
Directory and Identity as a Service
• Consolidate directory management across cloud apps
• Connect to the directory from any platform, any device
• Connect with people from web identity providers and other organizations
ISVApp
OtherMSFTApps
YourCustom IT
App
Office365
ISVApp
Azure
Active Directory
Active Directory
![Page 7: Cloud app Cloud app Cloud app Separate username/password sign-in Manual or semi-automated provisioning Active Directory App Separate username/password](https://reader035.vdocuments.us/reader035/viewer/2022081512/56649d9c5503460f94a852a1/html5/thumbnails/7.jpg)
How Does a Cloud App Connect to Directory?
Cloud Application
Contoso.comDirectory
? ?
?
![Page 8: Cloud app Cloud app Cloud app Separate username/password sign-in Manual or semi-automated provisioning Active Directory App Separate username/password](https://reader035.vdocuments.us/reader035/viewer/2022081512/56649d9c5503460f94a852a1/html5/thumbnails/8.jpg)
Browser
Mobile app
Server app Web Service API
Web Service API
Web Application
Web Application
Anatomy of a Typical Cloud Application Web
application
Web service API
Account and
profile store
Clients using wide variety of devices/languages/platforms
Server applications using wide variety of
platforms/languages
![Page 9: Cloud app Cloud app Cloud app Separate username/password sign-in Manual or semi-automated provisioning Active Directory App Separate username/password](https://reader035.vdocuments.us/reader035/viewer/2022081512/56649d9c5503460f94a852a1/html5/thumbnails/9.jpg)
Azure Active Directory Design PrinciplesThe cloud design point demands capabilities that are not part of current-day Windows Server Active Directory
• Maximize device & platform reach• http/web/REST based protocols
• Multi-tenancy• Customer owns directory, not Microsoft
• Optimize for availability, consistent performance, scale• Keep it simple
![Page 10: Cloud app Cloud app Cloud app Separate username/password sign-in Manual or semi-automated provisioning Active Directory App Separate username/password](https://reader035.vdocuments.us/reader035/viewer/2022081512/56649d9c5503460f94a852a1/html5/thumbnails/10.jpg)
Directory access and authenticationAdapting to the cloud paradigm
AD
AAD
Consoles
Powershell
Applications
LDAP
Kerberos
Portals
Powershell
Applications
REST
OAuth
![Page 11: Cloud app Cloud app Cloud app Separate username/password sign-in Manual or semi-automated provisioning Active Directory App Separate username/password](https://reader035.vdocuments.us/reader035/viewer/2022081512/56649d9c5503460f94a852a1/html5/thumbnails/11.jpg)
Directory Graph API• RESTful programmatic access to directory• Objects such as users, groups, roles, licenses• Relationships such as member, memberOf, manager, directReport
• Requests use standard HTTP methods• POST, GET, PATCH, DELETE to create, read, update, and delete• Response in XML or JSON; standard HTTP status codes• Compatible with OData 3.0
• OAuth 2.0 for authentication• Role-based assignment for application and user authorization
![Page 12: Cloud app Cloud app Cloud app Separate username/password sign-in Manual or semi-automated provisioning Active Directory App Separate username/password](https://reader035.vdocuments.us/reader035/viewer/2022081512/56649d9c5503460f94a852a1/html5/thumbnails/12.jpg)
Example Directory Graph CallRequest: https://directory.windows.net/contoso.com/Users/[email protected]
{ "Manager": { "uri": "https://directory.windows.net/contoso.com/Users('..')/Manager" }, "MemberOf": { "uri": "https://directory.windows.net/contoso.com/Users('..')/MemberOf" }, "ObjectId": "90ef7131-9d01-4177-b5c6-fa2eb873ef19", "ObjectReference": "User_90ef7131-9d01-4177-b5c6-fa2eb873ef19", "ObjectType": "User", "AccountEnabled": true, "DisplayName": "Ed Blanton", "GivenName": "Ed", "Surname": "Blanton", "UserPrincipalName": "[email protected]", "Mail": "[email protected]", "JobTitle": "Vice President", "Department": "Operations", "TelephoneNumber": "4258828080", "Mobile": "2069417891", "StreetAddress": "One Main Street", "PhysicalDeliveryOfficeName": "Building 2", "City": "Redmond", "State": "WA", "Country": "US", "PostalCode": "98007"}
![Page 13: Cloud app Cloud app Cloud app Separate username/password sign-in Manual or semi-automated provisioning Active Directory App Separate username/password](https://reader035.vdocuments.us/reader035/viewer/2022081512/56649d9c5503460f94a852a1/html5/thumbnails/13.jpg)
Protocols to connect with Azure AD
Protocol Purpose Details
REST/HTTP directory access
Create, Read, Update, Delete directory objects and relationships
Compatible with OData V3Authenticate with OAuth 2.0
OAuth 2.0 Service to service authenticationDelegated access
JWT token format
SAML 2.0 Web application authentication SAML 2.0 token formatUsed with Office 365 Services
WS-Federation 1.3 Web application authentication SAML 1.1 token formatUsed with Office 365 Services
![Page 14: Cloud app Cloud app Cloud app Separate username/password sign-in Manual or semi-automated provisioning Active Directory App Separate username/password](https://reader035.vdocuments.us/reader035/viewer/2022081512/56649d9c5503460f94a852a1/html5/thumbnails/14.jpg)
Demo
Directory Graph Explorer
![Page 15: Cloud app Cloud app Cloud app Separate username/password sign-in Manual or semi-automated provisioning Active Directory App Separate username/password](https://reader035.vdocuments.us/reader035/viewer/2022081512/56649d9c5503460f94a852a1/html5/thumbnails/15.jpg)
Cloud Application
Profile Store
Contoso.com Directory
ServicePrincipal
Role(Read)
Authorized user creates principal in directory for app, authorizes it to use directory by associating with role
AuthorizedUser
End User
![Page 16: Cloud app Cloud app Cloud app Separate username/password sign-in Manual or semi-automated provisioning Active Directory App Separate username/password](https://reader035.vdocuments.us/reader035/viewer/2022081512/56649d9c5503460f94a852a1/html5/thumbnails/16.jpg)
Cloud Application
Profile Store
Contoso.com Directory
User AuthN
End User
ServicePrincipal
Role(Read)
End user authenticates to directory to get token to call cloud app
t1
t1
![Page 17: Cloud app Cloud app Cloud app Separate username/password sign-in Manual or semi-automated provisioning Active Directory App Separate username/password](https://reader035.vdocuments.us/reader035/viewer/2022081512/56649d9c5503460f94a852a1/html5/thumbnails/17.jpg)
Cloud Application
Profile Store
Contoso.com Directory
Delegated AuthN
Directory Graph
End User
ServicePrincipal
Role(Read)
Cloud app gets tokenAccesses Directory Graph using tokenUses user unique ID to find profile in local profile store
t2
t2
![Page 18: Cloud app Cloud app Cloud app Separate username/password sign-in Manual or semi-automated provisioning Active Directory App Separate username/password](https://reader035.vdocuments.us/reader035/viewer/2022081512/56649d9c5503460f94a852a1/html5/thumbnails/18.jpg)
Relationship to Windows Server AD• On-premises and cloud
Active Directory managed as one
• Directory information synchronized to cloud, made available to cloud apps via roles-based access control
• Federated authentication enables single sign on to cloud applications with corporate credentials
Active Directory
Azure
Active Directory
Sync and Federation
![Page 19: Cloud app Cloud app Cloud app Separate username/password sign-in Manual or semi-automated provisioning Active Directory App Separate username/password](https://reader035.vdocuments.us/reader035/viewer/2022081512/56649d9c5503460f94a852a1/html5/thumbnails/19.jpg)
Directory and Identity as a Service
• Consolidate directory management across cloud apps
• Connect to the directory from any platform, any device
• Connect with people from web identity providers and other organizations
• Users can use same identity to access on-prem and cloud apps
ISVApp
OtherMSFTApps
YourCustom IT
App
Office365
ISVApp
Azure
Active Directory
Active Directory
YourOn-prem
App
YourOn-prem
App
Sync & Federation
![Page 20: Cloud app Cloud app Cloud app Separate username/password sign-in Manual or semi-automated provisioning Active Directory App Separate username/password](https://reader035.vdocuments.us/reader035/viewer/2022081512/56649d9c5503460f94a852a1/html5/thumbnails/20.jpg)
Directory Synchronization
• Directory synchronization between on-premises and online
• Objects are created and managed on-premises and synchronized to the cloud
• Optionally password hashes can be sync’d to the cloud providing a single identity and credential, but not single Sign-On
• Reuse existing directory implementation on-premises, including Non-AD sources
![Page 21: Cloud app Cloud app Cloud app Separate username/password sign-in Manual or semi-automated provisioning Active Directory App Separate username/password](https://reader035.vdocuments.us/reader035/viewer/2022081512/56649d9c5503460f94a852a1/html5/thumbnails/21.jpg)
Federation and single sign on
• Single identity and sign-on for on-premises and cloud services
• Identities mastered on-premises, single point of management
• Secure Token based authentication• Client access control based on IP address
with AD FS and Office 365 services • Strong factor authentication options
for additional security
![Page 22: Cloud app Cloud app Cloud app Separate username/password sign-in Manual or semi-automated provisioning Active Directory App Separate username/password](https://reader035.vdocuments.us/reader035/viewer/2022081512/56649d9c5503460f94a852a1/html5/thumbnails/22.jpg)
Windows Azure Active Authentication• Why multi factor• Your data and applications are under attack• Passwords are easily compromised• Consumerization of IT has only increased the scope of vulnerability• Strengthening regulatory requirements call for strongly
authenticating access
• Proven Authentication Platform• Powered by market-leading PhoneFactor platform• Trusted by thousands of enterprise customers across a wide range
of industries, including healthcare, financial services, manufacturing, and government
• Authenticating millions of logins and transactions each month
![Page 23: Cloud app Cloud app Cloud app Separate username/password sign-in Manual or semi-automated provisioning Active Directory App Separate username/password](https://reader035.vdocuments.us/reader035/viewer/2022081512/56649d9c5503460f94a852a1/html5/thumbnails/23.jpg)
Mobile Apps
Enterprise authentication using any phone
Text MessagesPhone Calls
Out-of-Band PushOne-Time-Passcode Out-of-Band Call
Out-of-Band TextOne-Time Passcode
![Page 24: Cloud app Cloud app Cloud app Separate username/password sign-in Manual or semi-automated provisioning Active Directory App Separate username/password](https://reader035.vdocuments.us/reader035/viewer/2022081512/56649d9c5503460f94a852a1/html5/thumbnails/24.jpg)
Architecture
ISV/CSV Apps
Windows AzureActive Directory
Microsoft AppsCustom LOB Apps
Custom LOB Apps
ActiveAuthentication
Users sign in from any device using their existing username/password.
Users must also authenticate using their phone or mobile device before access is granted.
Credentials are checkedin Windows Azure AD. Then Active Authentication is triggered for additional verification.
1
2
![Page 25: Cloud app Cloud app Cloud app Separate username/password sign-in Manual or semi-automated provisioning Active Directory App Separate username/password](https://reader035.vdocuments.us/reader035/viewer/2022081512/56649d9c5503460f94a852a1/html5/thumbnails/25.jpg)
Embracing BYODAD Workplace Join Users join their device to their workplace, making the device known to the
company’s Active Directory
Single Sign On (SSO)Users sign-in once to their company from any application and are not prompted for credentials by every company application when using workplace joined devices.
Work From Anywhere Businesses enable users to work from anywhere while adhering to their IT governance policies around risk management
Multi-factor Authentication
Businesses require additional factors of authentication when business critical resources are accessed or when there is perceived risk
Multi-factor Access Control
Businesses set conditional access control to resources based on four core pivots: the user, the device used, the user’s network location and use of additional auth factors
AD Authentication Library
ISVs build enterprise apps that delivery SSO and allow enterprises to set the access control policies based on user, device and network location, and MFA
![Page 26: Cloud app Cloud app Cloud app Separate username/password sign-in Manual or semi-automated provisioning Active Directory App Separate username/password](https://reader035.vdocuments.us/reader035/viewer/2022081512/56649d9c5503460f94a852a1/html5/thumbnails/26.jpg)
Windows Azure AD• Extension of Active
Directory into the cloud• The platform for Microsoft
Cloud Apps• Designed to meet the
needs of cloud applications, scale an multi-tenancy
• Provides directory and identity services: an essential part of Platform as a Service
• Your cloud directory for your apps
ISVApp
OtherMSFTApps
YourCustom IT
App
Office365
ISVApp
Azure
Active Directory
Active Directory
![Page 27: Cloud app Cloud app Cloud app Separate username/password sign-in Manual or semi-automated provisioning Active Directory App Separate username/password](https://reader035.vdocuments.us/reader035/viewer/2022081512/56649d9c5503460f94a852a1/html5/thumbnails/27.jpg)
Over 3 million tenants
![Page 28: Cloud app Cloud app Cloud app Separate username/password sign-in Manual or semi-automated provisioning Active Directory App Separate username/password](https://reader035.vdocuments.us/reader035/viewer/2022081512/56649d9c5503460f94a852a1/html5/thumbnails/28.jpg)
Over 7 Billion authenticationsJust last week
![Page 29: Cloud app Cloud app Cloud app Separate username/password sign-in Manual or semi-automated provisioning Active Directory App Separate username/password](https://reader035.vdocuments.us/reader035/viewer/2022081512/56649d9c5503460f94a852a1/html5/thumbnails/29.jpg)
© 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.