1 MIM 2016 Oliver Ryf Partner:
2 Agenda Begrüssung Vorstellung Referent PowerShell Desired State Configuration F&A Weiterführende Kurse
3 Vorstellung Referent Seit 1991 IT-Trainer 1995 MCSE und MCT Seit 2000 diverse Projekte im Bereich Windows/Office Migrationen, Active Directory, Infratruktur, Hyper-V und Azure Cloud Seit 2006 Trainer bei Digicomp Seit 2014 Principal Consultant und Cloud Archiect bei UP-Great AG Fehraltorf
Calibri IAM Eine umfassende Lösung Microsoft Identity Manager Windows Server Active Directory ist die primäre Authentication Quelle in den Firmen Active Directory Federation Services integriert AD mit Azure AD und MFA Web Application Proxy arlaubt die Edge preauthentication Ermöglicht Conditional Access für Ressourcen Identity Manager Bietet Self-Service Identity management Automatisiert das Lifecycle Management über heterogene Plattformen Erlaubt das definieren von umfangreichen Policies zum erzwingen von Unternehmensrichtlinien für Identity und Access Azure Active Directory Cloud directory Cloud Authentication Azure Active Directory Premium enthält Multi- Factor Authentication, und Server und Benutzer CALs für Identity Manager
Calibri MIM für durchgängige IAM Policies On-premises and private cloud Azure AD App Proxy Azure Active Directory Your apps
Calibri Identity Manager Capabilities Clients Identity Manager Platform Scenarios Portal Outlook Windows Custom Policies and Workflow Role Management Certificate Management Identity Stores Request Permission AuthN AuthZ Action Service DB Group Management Password Reset Cloud Services Databases Directories Applications Identity Synchronization
7 MIM 2016 Up-To-Date Updated platform support Certificate Management updated Self-service account unlock hinzugefügt!! Privileged Access Mgmt Improved protection of admins Just In Time (JIT) admin access Auditing for alerts and reports
8 MIM 2016 Hybrid IAM Self-service password reset with Azure MFA as a gate Hybrid reporting AAD and Office365 integration
Privileged Access Management
10 Privileged Accounts Das Risiko First Workstation Compromised Domain Admin Compromised Attack Discovered Research & Preparation 24-48 Hours Data Exfiltration (Attacker Undetected) 11-14 months
Die Lösung: Just-in-Time Admin Access Prepare Which users have privileged access rights based on AD groups? Monitor Additional auditing, alerts & reports, of privileged access requests Protect Step-up lifecycle and AuthN protection of privileged user accounts Operate Users can request Just In Time (JIT) and Just Enough administrator access privileges
12 Just-in-Time Solution Focus Domain account Authentication and Authorization Managing privileged access with: Step-up and Proof-up Isolation/scoping of privileges Additional logging Customizable workflow
JIT Solution Architecture Existing Apps existing trust Jen User access requests Privileged Access Management Microsoft Identity Manager Configured for PAM Group: Resource Admins Domain: CORP Candidate: Jen Calibri Existing FIM Optional Existing trust for admin access AD Forest(s) WS 2003 or later AD DS vnext Group Resource Admins User: PRIV\JenAdmin Groups: CORP\Resource Admins Refresh after: 60 minutes Time based memberships User JenAdmin
Funktionelle Architecture MPR PowerShell New-PAMRequest Microsoft Identity Manager MIM Service AuthZ WF Action WF User Group PAM Role PAM Request MIM Service DB Calibri Event Log runas whoami /groups AD DS vnext
15 PAM Request PowerShell New-PAMRequest REST API (Webseiten)
16
17
18
19
20
21
Calibri
Hybrid Identity Management
24 Hybrid IAM with MIM vnext Hybrid MIM Reporting Hybrid Sync SSPR mit Azure Phone Authentication O365 Integration
25 IAM Reporting & Auditing: Status FIM activity reports delivered via System Center Service Manager FIM 2010 R2
26 IAM Reporting & Auditing: Current State Azure AD activity Reports aus dem Azure Portal Azure AD Reports
Calibri Hybrid Reporting Reports show on FIM Service DB changes May require separate SQL and SCDW hosts Reports ship as part of FIM major releases Custom reports requires SCDW skills Adding scenario-based Reporting Easier to deploy using cloud storage Reports can ship with Azure portal updates Easier to generate custom reports
Calibri Hybrid Reporting: Unified Experience
Calibri Provisioning and Synchronization HR system New employee Departing employee Active Directory Exchange LDAP MIM Oracle DB Manager Finance
Calibri Provisioning and Synchronization Windows Server Active Directory Azure AD Sync Microsoft Azure Active Directory HR system Exchange Online LDAP SharePoint Online MIM Oracle DB Azure Manager Finance SaaS app
Calibri AAD und MIM Sync Vorher Aktuell Roadmap
SSPR with MFA Gate
Calibri SSPR with Phone AuthN Neue Phone Gate activity für die Implementierung einer zusätzlichentelefon authn als Teil eines SSPR Workflows
MIM Modernization
Calibri MIM 2016: Moderne Funktionalitäten Self-service Account Unlock Mit BYOD Geräten kann es öfters passieren, dass Accounts nach einem Passwortwechsel gesperrt werden Aktivieren des Self Service Unlocking Accounts (ohne Password Reset) Certificate Management modernization Modern App für self-service New REST API OAuth 2 enabled CM server support for AD multiforests Unterstützung aktueller Plattformen Windows Server 2012 R2 and later, SQL Server 2014, SharePoint 2013, Exchange 2013, Visual Studio 2013,...
Calibri Certificate Management mit einer Windows Store App
37 F&A
38 Weiterführende Kurse Firmenspezifische Workshops