Identity and Access Management for the Hybrid Enterprise Redmond Identity Summit 2014 Directories Devices Identity Keith Brintzenhofe Microsoft Corporation
Thank You to our Sponsors Gold Silver Plus Silver
Agenda Windows Azure Active Directory Vision Windows Azure Active Directory and the Hybrid Enterprise Today Identity & Access Management Scenarios Q&A
Windows Azure Active Directory: The Vision A modern, cloud based identity management service providing federation, directory services, device registration, user provisioning, application access control & data protection. A natural extension to on premises directories, the combination of Windows Server AD and Windows Azure AD lets you secure today s hybrid enterprise. On-premises and cloud Active Directory managed as one Consistent identities for on-premises and cloud applications Easy end user experience with single sign on and self-service features
Windows Azure Active Directory and the Hybrid Enterprise - Today Self Service On premises and private cloud HR Forefront Identity Manager and Microsoft BHOLD Suite Windows Azure Active Directory Other apps Windows Server Active Directory DirSync Custom apps SaaS apps Active Directory Federation Services Microsoft Account Other Directories
Identity and Access Management Scenarios Simplify access and control of SaaS applications Reduce IT burden with self service IAM Easily meet governance and compliance targets for IAM Improve security posture with monitoring of cloud services Rapidly develop and deploy new enterprise capabilities
Simplify access and control of SaaS applications SaaS App Management Professional services company, 4500 employees Interested in Office 365, Workday, Salesforce, Yammer and other SaaS applications Needs centralized management of employee access to SaaS applications Windows Azure AD single sign on (SSO) for SaaS applications Access Panel at myapps.microsoft.com Next steps Enable user SaaS SSO from mobile devices Manage additional SaaS apps, including federation and provisioning
Simplify access and control of SaaS applications SaaS App User Provisioning Fortune 500 company with 100,000+ international employees Needed automated user provisioning and deprovisioning to SaaS apps including ServiceNow ServiceNow also requires group objects FIM connector to synchronize across on premises data sources and into Windows Azure AD Windows Azure AD provides user and group provisioning to ServiceNow and other SaaS apps Next Steps Develop standards such as OAuth and SCIM to extend the reach of provisioning to more apps
Simplify access and control of SaaS applications Windows Azure AD Connector Fortune 500 company with 100,000+ international employees Multiple data sources on premises Need to provision users and groups to Windows Azure AD for control of SaaS FIM connector from on premises data sources to Windows Azure AD Group based application assignment in WAAD Next steps Incorporate users from HR sources in addition to SAP, PeopleSoft and Oracle
Self service identity and access management Self Service Password Reset for Users University with 20,000 current students Existing on premises password reset solution in place does not cover alumni Mobile phone verification method User registration Customization of helpdesk URL and branding of Password Reset Portal with university s logo Next Steps Additional/alternate verification methods
Self service identity and access management Tenant Branding Financial services firm with 200+ offices Subsidiary organizations need consistent look and feel across authentication experiences Already using Office365 and Active Directory Customized sign in page experience for each of its subsidiaries
Self service identity and access management Self Service Group Management Enterprise with 100,000+ users Multiple AD forests On premises applications, cloud hosted LOB and SaaS applications On premises SSGM controls access across apps Coordinates both Administrator managed and owner managed groups across multiple AD forests Users can find and request to join groups Configurable work flow for approvals and notifications Next steps SSGM as a Service
Easily meet governance and compliance targets for IAM Roles and attestation Enterprise with 25,000 employees Role based access control for LOB applications Policy based role assignment (based on job title get one or more roles assigned to them automatically) Attestation allows for review and sign off on permissions on a regular basis Analytics for identification of users not in compliance with business policy Next steps Engage with partners such as OCG for further use of FIM and BHOLD capabilities
Easily meet governance and compliance targets for IAM Multi Factor Authentication Local government agency Protect access to sensitive applications Avoid end user lock out using multiple MFA methods: (Mobile App, Call / SMS Mobile, office or alternate phone) Targeted MFA for sensitive accounts Customization of MFA greetings, fraud alert, one time bypass. capabilities End user self service enrollment Next Steps MFA targeting for sensitive apps / actions
Security monitoring and alerting for cloud services Reporting Large multi national enterprise Frequent target of attempts to gain unauthorized access to employee accounts Anomaly detection: credential sharing credential misuse/loss brute force attacks access from behind anonymizers Detection of attacks spanning organizations Next Steps On premises data correlation and analytics
Rapidly develop and deploy new enterprise capabilities Custom application integration Healthcare Service Provider Apps needs to authenticate and authorize users based on enterprise directory data Web App, Web API and Mobile Clients SSO (leveraging strong authentication and federation) App Access user profile in the cloud Next Steps Social Identities and Guests Schema Extensions
Next Steps Sign up for Windows Azure Active Directory Premium Preview http://www.windowsazure.com/en us/services/preview/ Self service password reset User provisioning and de provisioning to SaaS apps Group management Advanced security reports More to come! Give us feedback via the forums at http://aka.ms/aadforum My contact info kbrint@microsoft.com
Q&A