1. ARC312

2. Security Policy Governance Audit Reporting Analysis Data Quality Directory Logon Mobility Provisioning Development Access Control Authentication Authorization Includes create, update and delete of objects; Granting and revoking of access Access management – initial and ongoing Important for every component! Anywhere that digital identities live Mobile devices, remote access for mobile users Logon method, password management, MFA Identity standards and toolkits for developers

3. Security Policy Govern ance Audit Reporting Analysis Data Quality Directory Logon Mobility Provisioning Development Access Control Authentication Authorization

4. Directory

7. Logon

9. Conditional access with multi- factor authentication is provided on a per-application basis Logon to SaaS applications in Windows Azure and other providers Enhancements to ADFS include simplified deployment and management Published applications Firewall

11. Part of Remote Access Server role in Windows Server 2012 R2 Replaces ADFS Proxy Publish applications for external use (like TMG/UAG) Multi-Factor Authentication Variable authentication based on device and location

12. Voice call SMS Smartphone App

13. Provisioning

14. Built-in workflow for identity management Automatically synchronize all user information to different directories across the enterprise Automate the process of on-boarding new users Real-time de-provisioning from all systems to prevent unauthorized access and information leakage LDAP Certificate Management

16. Access Control

24. Mobility

25. AD includes a new “device” object class for registering mobile devices. Registration does not make the device “managed”, only “known”. Certificate dropped on the device – this becomes the second authentication factor. Workplace Join end point is published using the Web Application Proxy

26. Registration end point published on the Web Application Proxy. Registered device then works as a second factor for authentication when accessing applications and services. Users can register BYO devices for single sign-on and access to corporate data with Workplace Join. As part of this, a certificate is installed on the device AD with 2012 R2 schema extensions including device object class Device Registration Service

28. Development

30. POST https://graph.windows.net/contoso.com/users?api-version=2013-04-05 HEADERS Content-Type: application/json Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6Ik5HVEZ2ZEstZnl0aEV1T…. BODY { "accountEnabled":true, "userPrincipalName":"NewUser@contoso.com", "displayName":"New User", "passwordProfile":{ "password":"VStrongP@ssword1", "forceChangePasswordNextLogin":true}, "mailNickname":"NewUser" } RESPONSE: 201 Created Notes: (1)the password must meet the tenant’s Accepted password complexity requirements. (2 )the minimum set of properties to create a user is shown in the example above.

31. https://graph.windows.net/contoso.com/users?api- version=2013-04-05&$filter=state eq ‘WA’ Graph URL (static) Specific entity type, such as users, groups, contacts, tenantDetails, roles, applications, etc. Tenant of interest – can be tenant’s verified domain or objectId. API version OData filter on particular attribute values Follow relationships – memberOf, manager … Differential Query – changes since last query

32. Security Policy Governance AuditReporting Analysis Data Quality

33. AuthN AuthZ Dir Prov Logon AC Dev Mob Internal: Corporate AD External: DMZ Domain Trusted Partner IdP Providers Application: Own Id Store Internal: FIM External: Self-Reg Portal External: Trusted IdP Managed IdP + Password Reset Extranet: Web App Proxy ADFS Application managed Claims based Device Join Windows Identity Foundation

36. Head to... aka.ms/te