MIM 2016 Oliver Ryf - Amazon Web Servicesdigiblog.s3-eu-central-1.amazonaws.com › app › ... · MIM 2016: Moderne Funktionalitäten Self-service Account Unlock •Mit BYOD Geräten

Digicomp Microsoft Evolution Day 2015 1

MIM 2016

Oliver Ryf

Partner:

2Digicomp Microsoft Evolution Day 2015

Agenda

Begrüssung

Vorstellung Referent

PowerShell Desired State Configuration

F&A

Weiterführende Kurse


Vorstellung Referent

Seit 1991 IT-Trainer

1995 MCSE und MCT

Seit 2000 diverse Projekte im Bereich Windows/Office Migrationen, Active Directory, Infratruktur, Hyper-V und Azure Cloud

Seit 2006 Trainer bei Digicomp

Seit 2014 Principal Consultant und Cloud Archiect bei UP-Great AG Fehraltorf

CalibriDigicomp Microsoft Evolution Day 2015

IAM – Eine umfassende Lösung

• Active Directory ist die primäre Authentication Quelle in den Firmen

• Active Directory Federation Services integriert AD mitAzure AD und MFA

• Web Application Proxy arlaubt die Edge pre-authentication

• Ermöglicht Conditional Access für Ressourcen

Identity Manager

• Bietet Self-Service Identity management

• Automatisiert das Lifecycle Management überheterogene Plattformen

• Erlaubt das definieren von umfangreichen Policies zum erzwingen von Unternehmensrichtlinienfür Identity und Access

Azure Active Directory

• Cloud directory

• Cloud Authentication

• Azure Active Directory Premium enthält Multi-Factor Authentication, und Server und Benutzer CALs für Identity Manager

Windows Server

Microsoft Identity Manager


MIM für durchgängige IAM Policies

On-premises and private cloud

Azure Active Directory

Azure ADApp Proxy

Your apps


Identity Stores

Policies and

Workflow

Clients

WindowsOutlookPortal Custom

Identity Manager Capabilities

Cloud Services Databases Directories Applications

Identity Manager Platform Scenarios

Request Permission AuthN AuthZ ActionService DB

Identity

Synchronization

Role

ManagementCertificate

Management

Group

Management

Password

Reset


MIM 2016

Up-To-Date

Updated platform support

Certificate Management updated

Self-service account unlock hinzugefügt!!

Privileged Access Mgmt

Improved protection of admins

Just In Time (JIT) admin access

Auditing for alerts and reports


MIM 2016

Hybrid IAM

Self-service password reset with Azure MFA as a gate

Hybrid reporting

AAD and Office365 integration

Privileged Access Management


Privileged Accounts – Das Risiko

Research & Preparation

First WorkstationCompromised

24-48 Hours

Domain AdminCompromised

Data Exfiltration (Attacker Undetected)

11-14 months

Attack Discovered

Die Lösung: Just-in-Time Admin Access

Prepare

Which users have privileged access rights based on AD groups?

Protect

Step-up lifecycle and AuthNprotection of privileged

user accounts

Operate

Users can request Just In Time (JIT) and Just Enough

administrator access privileges

Monitor

Additional auditing, alerts & reports, of privileged

access requests


Just-in-Time Solution Focus

Domain account Authentication and Authorization

Managing privileged access with:

Step-up and Proof-up

Isolation/scoping of privileges

Additional logging

Customizable workflow


JIT Solution Architecture

Existing

AD Forest(s)WS 2003 or later

Privileged Access Management

Existing FIM

Optionaltrust for admin access


Configured for PAM

AD DS

vNext

Existing Appsaccess requests

User

existing trust

User: PRIV\JenAdmin

Groups:

CORP\Resource Admins

Refresh after: 60 minutes

“Jen”

Group “Resource Admins”

Group: Resource Admins

Domain: CORP

Candidate: Jen

Time based memberships

User “JenAdmin”


Funktionelle Architecture

MIM Service

AD DS

vNext

AuthZ WF Action WFMPR

New-PAMRequest

MIM Service

DB

UserGroupPAM Role

Event Log

PAM Request


PowerShell

runaswhoami /groups


PAM Request

PowerShell

New-PAMRequest

REST API (Webseiten)








Hybrid Identity Management


Hybrid IAM with MIM vNext

Hybrid MIM Reporting

Hybrid Sync

SSPR mit Azure Phone Authentication

O365 Integration


IAM Reporting & Auditing: Status

FIM activity reports delivered via System Center Service Manager

FIM 2010 R2


IAM Reporting & Auditing: Current State

Azure AD activity Reports aus dem Azure Portal

Azure AD Reports


Hybrid Reporting

Adding scenario-based Reporting

Reports can ship withAzure portal updates

Easier to deploy usingcloud storage

Easier to generate custom reports

Reports show on FIM Service DB changes

Reports ship as part of FIM major releases

May require separate SQL and SCDW hosts

Custom reports requires SCDW skills


Hybrid Reporting: Unified Experience


Provisioning and Synchronization

HR system

MIM

Manager

Active Directory

Exchange

LDAP

Oracle DB

Finance

New employeeDeparting employee


Provisioning and Synchronization

HR system

MIM

Manager

Windows ServerActive Directory

LDAP

Oracle DB

Finance

ExchangeOnline

SharePointOnline

Azure

SaaS app

Microsoft AzureActive DirectoryAzure AD Sync


RoadmapAktuellVorher

AAD und MIM Sync

SSPR with MFA Gate


SSPR with Phone AuthN

Neue “Phone Gate” activity fürdie Implementierung einer

zusätzlichenTelefon authN alsTeil eines SSPR Workflows

MIM Modernization


MIM 2016: Moderne Funktionalitäten

Self-service Account Unlock

• Mit BYOD Geräten kann es öfterspassieren, dass Accounts nach einemPasswortwechsel gesperrt werden

• Aktivieren des Self Service Unlocking Accounts (ohne Password Reset)

Certificate Management modernization

• Modern App für self-service

• New REST API

• OAuth 2 enabled

• CM server support for AD multi-forests

Unterstützung “aktueller” Plattformen

• Windows Server 2012 R2 and later, SQL Server 2014, SharePoint 2013, Exchange 2013, Visual Studio 2013, ...


Certificate Management mit einer Windows Store App


F&A


Weiterführende Kurse

Firmenspezifische Workshops

https://www.digicomp.ch/firmenangebot/firmenkurse

Documents

MIM 2016 Oliver Ryf - Amazon Web Servicesdigiblog.s3-eu-central-1.amazonaws.com › app › ... · MIM 2016: Moderne Funktionalitäten Self-service Account Unlock •Mit BYOD Geräten