Ondřej Výšek Sales Lead, Microsoft MVP vysek@kpcs.cz
Azure Active Directory
Features Free edition Basic edition Premium edition Directory as a service User and group management using UI or Windows PowerShell cmdlets Device registration Access Panel portal for SSO-based user access to SaaS and custom applications User-based application access management and provisioning Self-service password change for cloud users Azure AD Connect For syncing between on-premises directories and Azure Active Directory Standard security reports High availability SLA uptime (99.9%) Group-based application access management and provisioning Customization of company logo and colours to the Sign In and Access Panel pages Self-service password reset for cloud users Application Proxy: Secure Remote Access and SSO to on-premises web applications Advanced application usage reporting Self-service group management for cloud users Self-service password reset with on-premises write-back Microsoft Identity Manager (MIM) user licenses For on-premises identity and access mgmt Advanced anomaly security reports (machine learning-based) Cloud app discovery Multi-Factor Authentication service for cloud users Multi-Factor Authentication server for on-premises users Azure Active Directory Connect Health to monitor the health of on-premises Active Directory infrastructure, and get usage analytics. <500K objects No limit No limit 10 apps / user 10 apps / user No app limit
Google Apps Azure AD SalesForce.com AD FS DirSync Active Directory Domain Services
Synchronization Microsoft Azure *Write back of attributes to support cloud first and co-existence User attributes are synchronized including the password hash, Authentication can be completed against either Azure or Windows Server Active Directory Federation Microsoft Azure AD FS provides conditional access to resources, Work Place Join for device registration and integrated Multi-Factor Authentication User attributes are synchronized, Authentication is passed back through federation and completed against Windows Server Active Directory
https://msdn.microsoft.com/en-us/library/azure/dn790204.aspx See Install the Azure AD Sync Service
https://msdn.microsoft.com/en-us/library/azure/dn783462.aspx
Source Anchor
Features Azure AD (Free) Azure AD Basic Azure AD Premium Directory as a Service Up to 500k objects No object limit No object limit User and group management using UI or Windows PowerShell Yes Yes Yes Cmdlets Access Panel portal for SSO-based user access to SaaS and 10 applications per 10 applications per No limit custom applications user user User-based application access management/provisioning Yes Yes Yes Self-service password change for cloud users Yes Yes Yes Directory synchronization tool For syncing between onpremises Yes Yes Yes Active Directory and Azure Active Directory Standard security reports Yes Yes Yes High availability SLA uptime (99.9%) Yes Yes Group-based application access management and provisioning Yes Yes Company branding - customization of company logo and colors Yes Yes to the Sign In and Access Panel pages Self-service password reset for cloud users Yes Yes
Features Azure AD (Free) Azure AD Basic Azure AD Premium Application Proxy Yes Yes Self-service group management for cloud users Yes Yes Self-service password reset with on-premises writeback Yes Microsoft Identity Manager (MIM) server licenses Yes For syncing between on-premises databases and/or directories and Azure Active Directory Advanced anomaly security reports (machine Yes learning-based) Advanced usage reporting Yes Multi-Factor Authentication service for cloud users Yes Multi-Factor Authentication server for on-premises users Yes AAD Editions https://msdn.microsoft.com/en-us/library/azure/dn532272.aspx Office365+AAD http://blogs.office.com/2015/02/17/sign-page-branding-cloud-user-self-service-password-reset-office-365/
PowerShell Graph API Portal: manage.microsoft.com
https://technet.microsoft.com/en-us/library/dn532270.aspx
Desktop https://technet.microsoft.com/en-us/library/dn532270.aspx
Self Service Group Management (SSGM)
SSGM also enables users to request membership in groups by clicking on the gear icon on the group and clicking join.
https://msdn.microsoft.com/en-us/library/azure/dn913807.aspx
Azure AD Application Integration
https://msdn.microsoft.com/library/azure/dn308588.aspx#bkmk_passwordsso
us/library/azure/dn893637.aspx https://msdn.microsoft.com/en- https://msdn.microsoft.com/en-us/library/azure/dn308593.aspx
https://myapps.microsoft.com contoso.com Read more
Azure AD Premium Security Reports
MultiFactor Authentication (MFA)
1 4 5 6 7 6
1 2
MFA for Office 365 Azure Multi-Factor Authentication Administrators can Enable/Enforce MFA to end-users Yes Yes Use Mobile app (online and OTP) as second authentication factor Yes Yes Use Phone call as second authentication factor Yes Yes Use SMS as second authentication factor Yes Yes Application passwords for non-browser clients (e.g. Outlook, Lync) Yes Yes Default Microsoft greetings during authentication phone calls Yes Yes Custom greetings during authentication phone calls Fraud alert MFA SDK Security Reports MFA for on-premises applications/ MFA Server. One-Time Bypass Block/Unblock Users Customizable caller ID for authentication phone calls Event Confirmation Yes Yes Yes Yes Yes Yes Yes Yes Yes
What are you trying to secure? Cloud Multi-Factor Authentication Multi-Factor Authentication Server First party Microsoft apps SaaS apps in the app gallery IIS applications published through CWAP IIS applications not published through CWAP Remote access systems such as VPN, RDG
User Location Azure Active Directory Azure AD and on-premises AD using federation with AD FS Azure AD and on-premises AD using DirSync, Azure AD Sync, Azure AD Connect no password sync Azure AD and on-premises AD using DirSync, Azure AD Sync, Azure AD Connect with password sync On-premises Active Directory Solution Cloud Multi-Factor Authentication Both Cloud Multi-Factor Authentication and Multi-Factor Authentication are available options Both Cloud Multi-Factor Authentication and Multi-Factor Authentication are available options Cloud Multi-Factor Authentication Multi-Factor Authentication Server
MFA Versions Feature Comparison Multi-Factor Authentication for Office 365 (Included in Office 365 SKUs) Multi-Factor Authentication for Azure Administrators (Included with Azure Subscription) Administrators can protect accounts with MFA (Available only for Azure Administrator accounts) Azure Multi-Factor Authentication (Included in Azure AD Premium and EMS) Mobile app as a second factor Phone call as second factor SMS as second factor App passwords for clients that don t support MFA Admin control over authentication methods PIN mode Fraud alert MFA Reports One-Time Bypass Custom greetings for phone calls Customizable caller ID for phone calls Event Confirmation Trusted IPs Suspend MFA for remembered devices (Public Preview) MFA SDK MFA for on-premises applications using MFA
Cloud Multi-Factor Authentication Multi-Factor Authentication Server Mobile app notification as a second factor Mobile app verification code as a second factor Phone call as second factor One-way SMS as second factor Two-way SMS as second factor Hardware Tokens as second factor App passwords for clients that don t support MFA Admin control over authentication methods PIN mode MFA Versions Cloud vs. Server feature comparison Fraud alert MFA Reports One-Time Bypass Custom greetings for phone calls Customizable caller ID for phone calls Trusted IPs Suspend MFA for remembered devices (Public Preview) Conditional access Cache
AD FS Azure AD Azure MFA Web App Azure AD-Integrated MFA for Federated Identities Text Message [One-way]
AD FS Azure MFA Server Azure AD Azure MFA Web App AD FS-Integrated Azure MFA Text Message [Two-way]
Self Service Password Reset (SSPR)
http://aka.ms/ssprsetup http://myapps.microsoft.com
http://aka.ms/ssprsetup
Azure AD Application Proxy
http://channel9.msdn.com/events/ignite/2015/brk3864
Forefront UAG/TMG Web Application Proxy + AD FS
Remote Access as a Service Easily publish your on-prem applications to users outside the corporate network On-Premises Applications Extend Azure AD to on-prem Utilize Azure AD as a central management point for all your apps Azure Active Directory
Azure Active Directory https://sales-contoso.msappproxy.net https://sales.contoso.com DMZ http://sales Corporate Network
RMS
Side by side: AD RMS vs. Azure RMS EXO Operating in 3-Geos NA, EU, AP Azure KMS KMSP (HSM) AD Azure AD SPO Azure AD AD RMS New mobile REST endpoints Azure RMS Exchange Exchange SharePoint SharePoint Windows Server FCI Windows Server FCI Office 2007 Office 2010 Office 2013 Office 2007 Office 2010 Office 2013
Microsoft InTune
Enroll Provision Provide a self-service Company Portal for users to enroll devices Deliver custom terms and conditions at enrollment Deploy device security policy settings Deploy certificates, email, VPN, and WiFi profiles Bulk enroll devices using Apple Configurator, DEP or service account Restrict access to Exchange email or SharePoint if a device is not enrolled User IT Install mandatory apps Deploy app restriction policies Deploy data protection policies Retire Manage and Protect Revoke access to corporate resources Perform selective wipe Audit lost and stolen devices Restrict access to corporate resources if policies are violated (e.g., jailbroken device) Protect corporate data by restricting actions such as copy/cut/paste/save outside of managed app ecosystem Report on device and app compliance
Intune standalone (cloud only) Configuration Manager integrated with Intune (hybrid) IT IT Intune web console Configuration Manager console System Center Configuration Manager Mobile devices and PCs Domain joined PCs Mobile devices
IT Intune standalone (cloud only) Intune web console Manage and Protect No existing infrastructure necessary No existing Configuration Manager deployment required Simplified policy control Simple web-based administration console Faster cadence of updates Always up-to-date Devices Supported Windows PCs (x86/64, Intel SoC) Windows RT Windows Phone 8.x ios Android Mobile devices and PCs
System Center 2012 R2 Configuration Manager SP1 with Microsoft Intune Build on existing Configuration Manager deployment Full PC management (OS deployment, endpoint protection, application delivery control, custom reporting) Deep policy control requirements Large scale Extensible administration tools (RBA, PowerShell, SQL reporting services) Devices Supported Windows PCs (x86/64, Intel SoC) Windows to Go Windows Server Linux/UNIX server Mac OS X Windows RT Windows Phone ios Android IT Configuration Manager console System Center Configuration Manager Windows PC & Server, Mac, Linux Windows Phone, ios, Android
Trial or existing Intune tenant? Existing Office 365 tenant? Azure AD only or on-premises AD Synchronization with Azure AD? Deployment option (Standalone or Hybrid)?
Certificates and Keys to enable device platform management Azure AD Directory Synchronization Tool (Optional) Exchange Connector (Optional) SCEP Infrastructure (Optional)
Microsoft Intune supports ios 7.1+, Android 4.0+, Windows 8.1 and Windows Phone 8+, and Windows 10. Apple ID required for APNs certificate. If sideloading Apps on Windows 8.1 and Windows Phone 8.1, Code signing certificates and sideloading keys are required. Can limit the number of devices a user can enroll (default is 5). User enrolls a device via the Intune Company Portal App.
DMZ Intune, O365, Azure AD Mobile Device Internet External Firewall Reverse Proxy ADFS Proxy Internal Network Internal Firewall Identity Management Exchange SCEP AD/ADFS Azure AD Connect (Optional) Exchange 2010/2013 Exchange Connector (On-Prem ( - Exchange only) CA NDES/NDES Connector (Cert Enrollment Only)
Settings Management User Comprehensive security policies are enforced on each platform Extensive configuration settings are available for each platform Reporting available on each setting whether it is applicable, conformant or has an error Policies can be applied to user and device groups
List of complete settings OMA-URI Settings Configurator Profile OMA-URI Settings OMA-URI Settings
dalibor.kacmar@microsoft.com