Access Control in BYOD and Directory integration in a Hybrid Identity InfrastructureGayana Bagdasaryan

PCIT-B213

Objectives

• Why AD FS?

• AD FS for Hybrid Identity

• AD FS for BYOD

Why AD FS?

You can implement access control solutions  for claims-based applications and other resourcesthat are located across organizational boundaries 

AD FS Deployment Goals

• Access claims-based applications within your enterprise

• Remotely access internally hosted Web sites or

services 

• Access resources in a federation partner organization 

Access claims-based applications within your enterprise

Remotely access internally hosted Web sites or services

Access resources in a federation partner organization

Key AD FS Concepts

• Claims• Claim rules• Attribute stores• Relying party trusts• Claims provider trusts• Configuration databases

AD FS Certificates

• Secure Sockets Layer (SSL) certificate

• Service communication certificate

• Token-signing certificate

• Token-decryption/encryption certificate

AD FS - simplified deployment experience

• No IIS dependency

• Remote installation and configuration via Server Manager

• UI support for installing AD FS with SQL Server

• GMSA support

• SQL Server merge replication support

AD FS - enhanced sign-in experience• Unified customization of the AD FS service

• Support for automatic fallback to forms-based authentication for non-domain-joined-devices

• HRD based on organizational suffix of the user

• Customizable logo, illustration image, IT support links, home page, privacy, description messages in the sign-in pages, web themes, error messages

Devices

AppsUsers

Empowering People-centric IT

Management. Access. Protection.

Data

Hybrid Identity

Unify your environment

Create a centralized identity across on-premises and cloud

Use identity federation to maintain centralized authentication and securely share and collaborate with external users and businesses

Enable users

Provide users with self-service experiences to keep them productive

Enable single sign-on for users across all the resources they need access to

Protect your data

Enforce strong authentication when users access resources and apply conditional access controls to sensitive company information

Configure single sign-on across all company applications

Ensure compliance with governance, attestation and reporting

√

AD FS - access control risk management tools

• Access control based on user / device / location

• Global / per-application access control scope

• MFA based on user / device / location

• AD FS Extranet Lockout, to protect AD accounts from force internet attacks

• Access revocation for workplace-joined devices disabled/deleted in AD

AD FS - access to resources on personal devices from anywhere• Workplace join (DRS)

• Pre-authentication of intranet resources

• Password change from workplace-joined devices

Demo

Workplace join with MFA

Related sessions:

PCIT-IL301-R Wednesday, May 14 8:30 AM - 9:45 AMDEV-B344 Wednesday, May 14 1:30 PM - 2:45 PM PCIT-IL301-RR Thursday, May 15 1:00 PM - 2:15 PM PCIT-B330 Thursday, May 15 8:30 AM - 9:45 AM

Providing Users with a Common Identity

IT can provide users with a common identity across on-premises or cloud-based services, leveraging Windows Server Active Directory and Azure Active Directory.

Users are more productive by having a single sign-on to all their resources.

Users get access through accounts in Azure Active Directory to Azure, Office 365, and third-party applications.

Developers can build applications that leverage the common identity model.

Common Identity with Sync

User attributes are synchronized including the password hash, Authentication can be completed against either Azure or Windows Server Active Directory

Synchronization

*Write back of attributes to support cloud first and co-existence

Common Identity with Federation

User attributes are synchronized, Authentication is passed back through federation and completed against Windows Server Active Directory

Federation

AD FS provides conditional access to resources, Work Place Join for device registration and integrated Multi-Factor Authentication

Common Identity with Federation

Demo

- OneAD Wizard- Alternate login ID

Identity Federation

Conditional access with multi-factor authentication is provided on a per-application basis, leveraging user identity, device registration & network location

Organizations can federate with partners and other organizations for seamless access to shared resources

Organizations can connect to SaaS applications running in Azure, Office 365 and 3rd party providers

Enhancements to AD FS include simplified deployment and management

Published applications

• Breakout Sessions o PCIT-IL301-R Wednesday, May 14 8:30 AM - 9:45 AM

o DEV-B344 Wednesday, May 14 1:30 PM - 2:45 PM

o PCIT-IL301-RR Thursday, May 15 1:00 PM - 2:15 PM

o PCIT-B330 Thursday, May 15 8:30 AM - 9:45 AM

Find Me at the CSI booth

Related content

TechNet

Resources

Resources for IT ProfessionalsActive Directory Federation Services Overview - http://technet.microsoft.com/en-us/library/hh831502.aspxSetup Geographic Redundancy with SQL Server Replication - http://technet.microsoft.com/en-us/library/dn632406.aspxAD FS Certificate Requirements - http://technet.microsoft.com/en-us/library/dn554247.aspx#BKMK_1Configuring AD FS Extranet Lockout - http://technet.microsoft.com/en-us/library/dn486806.aspxConfiguring Alternate Login ID - http://technet.microsoft.com/en-us/library/dn659436.aspxWalkthrough Guide: Manage Risk with Additional Multi-Factor Authentication for Sensitive Applications - http://technet.microsoft.com/en-us/library/dn280946.aspxConfiguring Authentication Policies - http://technet.microsoft.com/en-us/library/dn486781.aspx Developing Modern Applications using OAuth and AD FS - http://msdn.microsoft.com/en-us/library/dn633593.aspx Directory integration - http://msdn.microsoft.com/en-us/library/azure/jj573653.aspx AD FS on Curah - http://curah.microsoft.com/51820/ad-fs-technet-content-mapBYOD on Curah - http://curah.microsoft.com/37111/bring-your-own-device-byod

Resources

Learning

Microsoft Certification & Training Resources

www.microsoft.com/learning

msdn

Resources for Developers

http://microsoft.com/msdn

TechNet

Resources for IT Professionals

http://microsoft.com/technet

Sessions on Demand

http://channel9.msdn.com/Events/TechEd

Complete an evaluation and enter to win!

Evaluate this session

Scan this QR code to evaluate this session.

© 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.