Hybrid Identity de paraplu in de...
31
EXPERTS LIVE SUMMER NIGHT Hybrid Identity de paraplu in de cloud Robbert van der Zwan TSP EM+S Netherlands
Transcript of Hybrid Identity de paraplu in de...
EXPERTS LIVE
SUMMER NIGHT
Hybrid Identity
de paraplu in de cloud
Robbert van der Zwan
TSP EM+S Netherlands
EXPERTS LIVE
SUMMER NIGHT
Robbert van der Zwan
Robbert works as an Enterprise Mobility
and Security (EM+S) Technical Solution
Professional (TSP) for Microsoft in the
Netherlands.
Enterprise Mobility + Security (EMS)
Identity and access
management
Azure Active
Directory
Premium
Mobile device and
app management
Intune
Information
protection
Azure Information
Protection
User and entity
behavioral analytics
Advanced Threat
Analytics
Cloud and SaaS
app security
Cloud App
Security
Identity as the control plane
On-premises
Windows ServerActive Directory
Identity as the control plane
On-premises
Windows ServerActive Directory
VPN
BYO
SaaSAzure
Cloud
Publiccloud
Customers
Partners
Identity as the control plane
On-premises
Windows ServerActive Directory
VPN
BYO
Azure
Cloud
Publiccloud
Customers
PartnersSaaS
Azure
Cloud
Publiccloud
Customers
Azure AD as the control plane
On-premises
Partners
Azure
Cloud
Publiccloud
Microsoft Azure Active Directory
Windows ServerActive Directory
A modern identity management system
spanning cloud and on-premises,
providing federation, identity
management, device registration, user
provisioning, application access control &
data protection.
Microsoft AzureActive Directory
Microsoft Azure
Identity synchronization with password (hash) sync
Identity synchronization
User attributes are synchronized using
identity synchronization services,
including a password hash;
authentication is completed against
Azure Active Directory
User attributes are synchronized using
identity synchronization tools;
authentication is passed back through
federation and completed against
Windows Server Active Directory
ADFS
1000s OF APPS, 1 IDENTITY
Identity + Password (Hash) synchronization
Identity +
Password Hash synchronization
Azure Active Directoryauthenticates user
User
Microsoft AzureActive Directory
1000s OF APPS, 1 IDENTITY
Identity synchronization + ADFS
Identitysynchronization
ADFSAuthentication passed toWindows Server Active Directory
via ADFS
User
Microsoft AzureActive Directory
1000s OF APPS, 1 IDENTITY
Identity synchronization + Pass-through authentication with Seamless SSO
Identitysynchronization
Authentication passed toWindows Server Active Directoryvia Pass-through authentication
User
Pass-throughauthentication
Microsoft AzureActive Directory
Seamless SSO
Pass-through authentication agent
User
Contoso Corpnet
Connector
1000s OF APPS, 1 IDENTITY
How it works
User Name
and
password
Connector notified
of request
Connector
validates the
credentials
against AD
Token returned to the
user or further proofs
(MFA) are initiated
1 2
34
5
DC returns
result
Connector returns
result
6
Security Token Service
Microsoft AzureActive Directory
Contoso Corpnet
5 User sends ticket to Azure AD STS
1000s OF APPS, 1 IDENTITY
How seamless SSO works with Pass-through authentication and Password hash synchronization
User enters their username1 401 response to get a Kerberos ticket2
User requests a Kerberos ticket3
6 Token returned to the user or further proofs (MFA) are initiated
4 AD returns Kerberos ticket
Security Token
Service
Microsoft AzureActive Directory
User
Identity Synchronization+ ADFS
1000s OF APPS, 1 IDENTITY
More options than ever!
User
Identitysynchronization
Identity Synchronization + Pass-through Authentication + Seamless SSO
ADFS
Microsoft AzureActive Directory
Identitysynchronization Seamless
SSO
Identity +
Password Hash synchronization
Identity Synchronization + Password Hash Synchronization+
Seamless SSO
Seamless SSO
Pass-throughAuthentication
Azure Active Directory Connect
ADFS
Sync engine
1000s OF APPS, 1 IDENTITY
Azure Active Directory Connect
Consolidated deployment assistant for your identity bridge components.
All currently available sync engines will be replaced by the sync engine included in the Connect tool.
Assisted deployment of ADFS will be available through Azure Active Directory Connect.
ADFS is an optional component for authentication in hybrid implementation. Password sync can replace ADFS for more scenarios.
DirSync
Azure Active Directory Sync
FIM+Azure Active Directory Connector
ADFS
Azure Active Directory as the control plane
Identity as the core of enterprise mobility
Single sign-onSelf-service
Simple connection
On-premises
Other directories
Windows ServerActive Directory
SaaSAzure
Publiccloud
CloudMicrosoft Azure Active Directory
CustomersPartners
Your Directory on the cloud
SaaS appsMicrosoft AzureActive DirectoryOther Directories
DMZ
https://appX-contoso.msappproxy.net/
Access even more on-premises web applications
Application
Proxy
User
Azure or 3rd Party IaaS
connect
or
connectorconnector
Microsoft AzureActive Directory
connector
app app app appOther LoBapps
3rd partyapps
SharePoint Onlineand Office 365 apps
Otherorganization
LOB apps
Azure AD andOffice 365 groups
Other Identity
Providers
Google ID Microsoft
Account
Assign B2B users access to any app or service
your organization owns
Add B2B users with MSA, Google, or other Identity Provider accounts
Add B2B users with accounts in other Azure AD organizations
Legenddashed silhouette: user account in
the resource tenancy uses an
external identity for authentication
Microsoft AzureActive Directory
ENABLE BUSINESS WITHOUT BORDERS
User log-ins
Unauthorized data access
Data encryption
Malware
System updates
Enterprise security
Attacks
Phishing Denial of service
User accounts
Device log-ins
Multi-factor authentication
CLOUD-POWERED PROTECTION
Identity Protection at its best
Risk severity calculation
Remediation recommendations
Risk-based conditional access automatically protects against suspicious logins and compromised credentials
Gain insights from a consolidated view of machine learning based threat detection
Leaked credentials
Infected devices Configuration
vulnerabilities
Risk-
based
policies
MFA Challenge Risky Logins
Block attacks
Change bad credentials
Machine-Learning Engine
Brute force attacks
Suspicious sign-in activities
CLOUD-POWERED PROTECTION
Use the power of Identity Protection in PowerBI, SIEM and other monitoring tools
Security/Monitoring/Reporting SolutionsNotifications
Data Extracts/Downloads
Reporting APIs
Apply Microsoft learnings to your existing security tools
Microsoft machine - learning engine
Leaked credentials
Infected devices Configuration
vulnerabilities Brute force
attacksSuspicious sign-
in activities
Click to edit Master title styleControl access to data based on real-time context
Conditional access allows you to define policies that provide contextual controls at the user, location, device, and app levels. As conditions change, natural user prompts ensure that only the right users on compliant devices can access sensitive data.
• Block access
• Wipe device
Conditions• Allow
• Enforce MFA
• Remediate
Actions
Location (IP range)
Device compliancy state
User groupUser
Risk
• Cloud applications
• On premises applications
Azure Active Directory Premium
Microsoft IntuneMicrosoft Intelligent
Security Graph
Demo - PTA & Conditional Access
User
Group membership
User Risk
Session Risk
Device
OS Type: iOS, Android, Windows, Mac
Device Compliance state, Domain join status
Device Risk
Application
App Type: Mobile app, Browser or Desktop app
Application identity
Location
IP Range
Policy Conditions Security Signals
Microsoft Digital Crimes Unit
Microsoft Cybercrime Center
Machine LearningAI-based on billions of Azure AD authentications/day
Microsoft Intune
Device state
EXPERTS LIVE
SUMMER NIGHT
Next session 18:00 - 18:45uur
Azure Information Protection
Lisanne Brons & Raymond van t Hag
