ARC312. Security Policy Governance Audit Reporting Analysis Data Quality Directory Logon Mobility...
-
Upload
marsha-goodwin -
Category
Documents
-
view
220 -
download
1
Transcript of ARC312. Security Policy Governance Audit Reporting Analysis Data Quality Directory Logon Mobility...
![Page 1: ARC312. Security Policy Governance Audit Reporting Analysis Data Quality Directory Logon Mobility Provisioning Development Access Control Authentication.](https://reader036.fdocuments.net/reader036/viewer/2022081603/56649e195503460f94b05dc6/html5/thumbnails/1.jpg)
The Identity Jigsaw Puzzle
Carol Wapshere, MVPIdentity Management SpecialistUNIFY Solutions@miss_miis
ARC312
![Page 2: ARC312. Security Policy Governance Audit Reporting Analysis Data Quality Directory Logon Mobility Provisioning Development Access Control Authentication.](https://reader036.fdocuments.net/reader036/viewer/2022081603/56649e195503460f94b05dc6/html5/thumbnails/2.jpg)
SecurityPolicy
Governance
Audit Reporting
Analysis DataQuality
Directory
Logon
Mobility
Provisioning
Development
AccessControl
Authentication
Authorization
Includes create, update and delete of objects; Granting
and revoking of access
Access management – initial and ongoing
The Identity Jigsaw PuzzleImportant for every
component!
Anywhere that digital identities live
Mobile devices, remote access for mobile users
Logon method, password management, MFA
Identity standards and toolkits for developers
![Page 3: ARC312. Security Policy Governance Audit Reporting Analysis Data Quality Directory Logon Mobility Provisioning Development Access Control Authentication.](https://reader036.fdocuments.net/reader036/viewer/2022081603/56649e195503460f94b05dc6/html5/thumbnails/3.jpg)
Security
Policy
Governance
Audit
Reporting
Analysis Data
Quality
Directory
Logon
Mobility
Provisioning
Development
AccessControl
Authentication
Authorization
![Page 4: ARC312. Security Policy Governance Audit Reporting Analysis Data Quality Directory Logon Mobility Provisioning Development Access Control Authentication.](https://reader036.fdocuments.net/reader036/viewer/2022081603/56649e195503460f94b05dc6/html5/thumbnails/4.jpg)
Directory
Identity Trends:• IdaaS –
Identity as a Service
A look at:• Windows
Azure Active Directory
![Page 5: ARC312. Security Policy Governance Audit Reporting Analysis Data Quality Directory Logon Mobility Provisioning Development Access Control Authentication.](https://reader036.fdocuments.net/reader036/viewer/2022081603/56649e195503460f94b05dc6/html5/thumbnails/5.jpg)
Windows Azure AD
On premise
DirSync
WindowsAzure ADOr FIM with
Azure MA for multi-
forest
ExchangeOnline
LyncOnlineSharePoin
tOnline
Dynamics CRM Online
Intune
AzureApp
AzureApp
AzureApp
Inhouse or 3rd party apps written for
Azure
Other Saas Applications
Now sync’ing password
hash
ADFS
![Page 6: ARC312. Security Policy Governance Audit Reporting Analysis Data Quality Directory Logon Mobility Provisioning Development Access Control Authentication.](https://reader036.fdocuments.net/reader036/viewer/2022081603/56649e195503460f94b05dc6/html5/thumbnails/6.jpg)
Azure Application AccessSSO to SaaS applications
Depending on application: Federated SSO
using Azure account
SSO by saving app credentials• Requires browser plugin
![Page 7: ARC312. Security Policy Governance Audit Reporting Analysis Data Quality Directory Logon Mobility Provisioning Development Access Control Authentication.](https://reader036.fdocuments.net/reader036/viewer/2022081603/56649e195503460f94b05dc6/html5/thumbnails/7.jpg)
Identity Trends:• Federated
SSO OAuth or SAML
• Multi-factor using mobile phone
• Variable based on Context/Risk
A look at:• Web Application
Proxy • Windows Azure
AD Multi-Factor AuthN
Logon
![Page 8: ARC312. Security Policy Governance Audit Reporting Analysis Data Quality Directory Logon Mobility Provisioning Development Access Control Authentication.](https://reader036.fdocuments.net/reader036/viewer/2022081603/56649e195503460f94b05dc6/html5/thumbnails/8.jpg)
About AD FSBrowse application
Redirect to IdP ADFS
Authenticate
Construct Claims
Token Id
Validated Is Member
of Group Redirect to SP ADFS
Verified Token
Access application
Web API, all works through browser redirections
SSO with local account to remote application
Claims transmit minimum required infoService ProviderIdentity Provider
Token
![Page 9: ARC312. Security Policy Governance Audit Reporting Analysis Data Quality Directory Logon Mobility Provisioning Development Access Control Authentication.](https://reader036.fdocuments.net/reader036/viewer/2022081603/56649e195503460f94b05dc6/html5/thumbnails/9.jpg)
Web Application Proxy – Windows 2012 R2
Conditional access with multi-factor authentication is provided on a per-application basis
Logon to SaaS applications in Windows Azure and other providers
Enhancements to ADFS include simplified deployment and management
Published applications
Firewall
Firewall
![Page 10: ARC312. Security Policy Governance Audit Reporting Analysis Data Quality Directory Logon Mobility Provisioning Development Access Control Authentication.](https://reader036.fdocuments.net/reader036/viewer/2022081603/56649e195503460f94b05dc6/html5/thumbnails/10.jpg)
Web App Proxy conditional authentication
![Page 11: ARC312. Security Policy Governance Audit Reporting Analysis Data Quality Directory Logon Mobility Provisioning Development Access Control Authentication.](https://reader036.fdocuments.net/reader036/viewer/2022081603/56649e195503460f94b05dc6/html5/thumbnails/11.jpg)
Web Application Proxy
• Part of Remote Access Server role in Windows Server 2012 R2
• Replaces ADFS Proxy• Publish applications for external use (like TMG/UAG)• Multi-Factor Authentication• Variable authentication based on device and
location
![Page 12: ARC312. Security Policy Governance Audit Reporting Analysis Data Quality Directory Logon Mobility Provisioning Development Access Control Authentication.](https://reader036.fdocuments.net/reader036/viewer/2022081603/56649e195503460f94b05dc6/html5/thumbnails/12.jpg)
Windows Azure AD Multi-Factor AuthenticationVoice callSMSSmartphone App
IIS Windows LDAP RADIUS
Combined with AD FS: Per-application control MFA enabled on
context:• Intranet/extranet• AD Group• Device
![Page 13: ARC312. Security Policy Governance Audit Reporting Analysis Data Quality Directory Logon Mobility Provisioning Development Access Control Authentication.](https://reader036.fdocuments.net/reader036/viewer/2022081603/56649e195503460f94b05dc6/html5/thumbnails/13.jpg)
Identity Trends:• Cloud focussed• Identity Sync as
important as ever
A look at:• Forefront
Identity Manager
• Azure Account Sync
Provisioning
![Page 14: ARC312. Security Policy Governance Audit Reporting Analysis Data Quality Directory Logon Mobility Provisioning Development Access Control Authentication.](https://reader036.fdocuments.net/reader036/viewer/2022081603/56649e195503460f94b05dc6/html5/thumbnails/14.jpg)
Forefront Identity Manager 2010 R2User provisioning, de-provisioning, and role updates
Built-in workflow for identity management
Automatically synchronize all user information to different directories across the enterprise
Automate the process of on-boarding new users
Real-time de-provisioning from all systems to prevent unauthorized access and information leakage LDAP
Certificate Management
Custom
![Page 15: ARC312. Security Policy Governance Audit Reporting Analysis Data Quality Directory Logon Mobility Provisioning Development Access Control Authentication.](https://reader036.fdocuments.net/reader036/viewer/2022081603/56649e195503460f94b05dc6/html5/thumbnails/15.jpg)
Azure Application Account Sync
![Page 16: ARC312. Security Policy Governance Audit Reporting Analysis Data Quality Directory Logon Mobility Provisioning Development Access Control Authentication.](https://reader036.fdocuments.net/reader036/viewer/2022081603/56649e195503460f94b05dc6/html5/thumbnails/16.jpg)
Identity Trends:• Context-based
authorization• Access
Governance
A look at:• BHOLD - part of
Forefront Identity Manager 2010 R2
AccessControl
![Page 17: ARC312. Security Policy Governance Audit Reporting Analysis Data Quality Directory Logon Mobility Provisioning Development Access Control Authentication.](https://reader036.fdocuments.net/reader036/viewer/2022081603/56649e195503460f94b05dc6/html5/thumbnails/17.jpg)
BHOLD – RBAC Solution• Part of Forefront Identity Manager 2010 R2
• Modules:• Model Generator - Analyse
existing permissions against Org structure and Attributes
• Analytics - Preview how a rule change will effect users
• Attestation - Periodic review of permissions
• Self-service – in the FIM Portal• Reporting
• Roles are:• Organisational,• Inherited,• Directly assigned,• Separation of Duties
![Page 18: ARC312. Security Policy Governance Audit Reporting Analysis Data Quality Directory Logon Mobility Provisioning Development Access Control Authentication.](https://reader036.fdocuments.net/reader036/viewer/2022081603/56649e195503460f94b05dc6/html5/thumbnails/18.jpg)
BHOLD Attestation Module• Run Attestation Campaigns to review and validate
access permissions,
• Campaigns may be one-off or periodic,
• Based on “has account” or specific rights/memberships in application,
• Validation done by “Stewards” – may be related to user (eg, Manager), application-based, uploaded from CSV,
• Can over-ride Steward’s decision,
• If connected to FIM Sync, permission changes can flow to end system.
![Page 19: ARC312. Security Policy Governance Audit Reporting Analysis Data Quality Directory Logon Mobility Provisioning Development Access Control Authentication.](https://reader036.fdocuments.net/reader036/viewer/2022081603/56649e195503460f94b05dc6/html5/thumbnails/19.jpg)
BHOLD Attestation CampaignDefine a Campaign
![Page 20: ARC312. Security Policy Governance Audit Reporting Analysis Data Quality Directory Logon Mobility Provisioning Development Access Control Authentication.](https://reader036.fdocuments.net/reader036/viewer/2022081603/56649e195503460f94b05dc6/html5/thumbnails/20.jpg)
BHOLD Attestation CampaignDefine a Campaign
![Page 21: ARC312. Security Policy Governance Audit Reporting Analysis Data Quality Directory Logon Mobility Provisioning Development Access Control Authentication.](https://reader036.fdocuments.net/reader036/viewer/2022081603/56649e195503460f94b05dc6/html5/thumbnails/21.jpg)
BHOLD Attestation CampaignNotification Templates
![Page 22: ARC312. Security Policy Governance Audit Reporting Analysis Data Quality Directory Logon Mobility Provisioning Development Access Control Authentication.](https://reader036.fdocuments.net/reader036/viewer/2022081603/56649e195503460f94b05dc6/html5/thumbnails/22.jpg)
BHOLD Attestation CampaignNotification Templates
![Page 23: ARC312. Security Policy Governance Audit Reporting Analysis Data Quality Directory Logon Mobility Provisioning Development Access Control Authentication.](https://reader036.fdocuments.net/reader036/viewer/2022081603/56649e195503460f94b05dc6/html5/thumbnails/23.jpg)
BHOLD Attestation CampaignAttestation Portal
![Page 24: ARC312. Security Policy Governance Audit Reporting Analysis Data Quality Directory Logon Mobility Provisioning Development Access Control Authentication.](https://reader036.fdocuments.net/reader036/viewer/2022081603/56649e195503460f94b05dc6/html5/thumbnails/24.jpg)
Identity Trends:• BYOD• Device
identification
A look at:• Workplace Join
Mobility
![Page 25: ARC312. Security Policy Governance Audit Reporting Analysis Data Quality Directory Logon Mobility Provisioning Development Access Control Authentication.](https://reader036.fdocuments.net/reader036/viewer/2022081603/56649e195503460f94b05dc6/html5/thumbnails/25.jpg)
Workplace Join – Windows Server 2012 R2• AD includes a new “device” object class for
registering mobile devices.• Registration does not make the device
“managed”, only “known”. • Certificate dropped on the device – this
becomes the second authentication factor.• Workplace Join end point is published using the
Web Application Proxy
![Page 26: ARC312. Security Policy Governance Audit Reporting Analysis Data Quality Directory Logon Mobility Provisioning Development Access Control Authentication.](https://reader036.fdocuments.net/reader036/viewer/2022081603/56649e195503460f94b05dc6/html5/thumbnails/26.jpg)
Workplace Join - Windows 2012 R2
Registration end point published on the Web Application Proxy.
Registered device then works as a second factor for authentication when accessing applications and services.
Users can register BYO devices for single sign-on and access to corporate data with Workplace Join. As part of this, a certificate is installed on the device
AD with 2012 R2 schema
extensions including device
object class
Device Registration
Service
![Page 27: ARC312. Security Policy Governance Audit Reporting Analysis Data Quality Directory Logon Mobility Provisioning Development Access Control Authentication.](https://reader036.fdocuments.net/reader036/viewer/2022081603/56649e195503460f94b05dc6/html5/thumbnails/27.jpg)
Web App Proxy and Joined Devices
![Page 28: ARC312. Security Policy Governance Audit Reporting Analysis Data Quality Directory Logon Mobility Provisioning Development Access Control Authentication.](https://reader036.fdocuments.net/reader036/viewer/2022081603/56649e195503460f94b05dc6/html5/thumbnails/28.jpg)
Identity Trends:• RESTful APIs• Application should
use providers rather than control identity
A look at:• Graph API for
Azure ADDevelopment
![Page 29: ARC312. Security Policy Governance Audit Reporting Analysis Data Quality Directory Logon Mobility Provisioning Development Access Control Authentication.](https://reader036.fdocuments.net/reader036/viewer/2022081603/56649e195503460f94b05dc6/html5/thumbnails/29.jpg)
Graph API• Standards-based web API for writing
applications that work with Azure AD• Focus on:
• CRUD Operations• Search Operations
• Native support for OAuth and SAML• Designed from the ground-up for query
speed and accessibility
![Page 30: ARC312. Security Policy Governance Audit Reporting Analysis Data Quality Directory Logon Mobility Provisioning Development Access Control Authentication.](https://reader036.fdocuments.net/reader036/viewer/2022081603/56649e195503460f94b05dc6/html5/thumbnails/30.jpg)
POSThttps://graph.windows.net/contoso.com/users?api-version=2013-04-05
HEADERSContent-Type: application/jsonAuthorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6Ik5HVEZ2ZEstZnl0aEV1T….BODY{ "accountEnabled":true, "userPrincipalName":"[email protected]", "displayName":"New User", "passwordProfile":{ "password":"VStrongP@ssword1", "forceChangePasswordNextLogin":true}, "mailNickname":"NewUser"}RESPONSE: 201 Created
Notes: (1)the password must meet the tenant’s Accepted password complexity requirements.(2 )the minimum set of properties to create a user is shown in the example above.
Graph API Example - User Creation
![Page 31: ARC312. Security Policy Governance Audit Reporting Analysis Data Quality Directory Logon Mobility Provisioning Development Access Control Authentication.](https://reader036.fdocuments.net/reader036/viewer/2022081603/56649e195503460f94b05dc6/html5/thumbnails/31.jpg)
https://graph.windows.net/contoso.com/users?api-version=2013-04-05&$filter=state eq ‘WA’
Graph URL
(static)
Specific entity type, such as users, groups, contacts, tenantDetails, roles, applications, etc.
Tenant of interest – can be tenant’s verified domain or objectId.
API version
Graph Query – return identity data
OData filter on particular attribute valuesFollow relationships – memberOf, manager …Differential Query – changes since last query
![Page 32: ARC312. Security Policy Governance Audit Reporting Analysis Data Quality Directory Logon Mobility Provisioning Development Access Control Authentication.](https://reader036.fdocuments.net/reader036/viewer/2022081603/56649e195503460f94b05dc6/html5/thumbnails/32.jpg)
SecurityPolicy
Governance
Audit Reporting
Analysis DataQuality
Identity Trends:• Reporting increasingly
a first class citizen• No single technology
or practice• Standards should lead
to better methodologies
![Page 33: ARC312. Security Policy Governance Audit Reporting Analysis Data Quality Directory Logon Mobility Provisioning Development Access Control Authentication.](https://reader036.fdocuments.net/reader036/viewer/2022081603/56649e195503460f94b05dc6/html5/thumbnails/33.jpg)
Use Case: Internal/External Users accessing one application
Accepted Cloud Identity Providers
AuthN
AuthZ
Dir
ProvLogon
AC
Dev
Mob Internal NetworkPerimeter Network
Internal: Corporate AD
External: DMZ Domain Trusted Partner IdP Providers
Application: Own Id Store
Internal: FIM
External: Self-Reg Portal External: Trusted IdP
Managed IdP + Password Reset
Extranet: Web App Proxy ADFS
Application managed Claims based Device Join
Windows Identity Foundation
![Page 34: ARC312. Security Policy Governance Audit Reporting Analysis Data Quality Directory Logon Mobility Provisioning Development Access Control Authentication.](https://reader036.fdocuments.net/reader036/viewer/2022081603/56649e195503460f94b05dc6/html5/thumbnails/34.jpg)
References – Channel9 recorded sessions
WAD-B308 Deep Dive into the Windows Azure Active Directory Graph API: Data Model, Schema, Query, and MoreWCA-B333 Enable work from anywhere without losing sleep: Remote Access with Web Application ProxyWCA-B334 Secure anywhere access to corporate resources such as Windows Server Work Folders using ADFSWindows Azure Multi-Factor Authentication Overview
![Page 35: ARC312. Security Policy Governance Audit Reporting Analysis Data Quality Directory Logon Mobility Provisioning Development Access Control Authentication.](https://reader036.fdocuments.net/reader036/viewer/2022081603/56649e195503460f94b05dc6/html5/thumbnails/35.jpg)
Related contentAZR209 Identity and Windows Azure
Find Me Later At the Unify/Optimal IDM stand
![Page 36: ARC312. Security Policy Governance Audit Reporting Analysis Data Quality Directory Logon Mobility Provisioning Development Access Control Authentication.](https://reader036.fdocuments.net/reader036/viewer/2022081603/56649e195503460f94b05dc6/html5/thumbnails/36.jpg)
Evaluate this session and you could win instantly!
Head to...aka.ms/te
![Page 37: ARC312. Security Policy Governance Audit Reporting Analysis Data Quality Directory Logon Mobility Provisioning Development Access Control Authentication.](https://reader036.fdocuments.net/reader036/viewer/2022081603/56649e195503460f94b05dc6/html5/thumbnails/37.jpg)
© 2013 Microsoft Corporation. All rights reserved.Microsoft, Windows and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.