Identity; What you need to know to be in the Microsoft Cloud PROD323 Mark Rhodes

Microsoft Ignite 2016 10/9/2017 8:18 AM Mark Rhodes Premier Field Engineer Microsoft @mrhodes marhod@microsoft.com © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Agenda Overview of existing authentication models Microsoft Office 10/9/2017 Agenda Overview of existing authentication models New Authentication Methods Improvements and Enhancements d © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Microsoft Cloud Identity Models 10/9/2017 Microsoft Cloud Identity Models Synchronized ID Directory sync with password sync On-premises identity Federated ID On-premises identity Directory sync Federation Pass Thru Auth On-premises identity Directory sync PTA Agent © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

What is Azure AD Connect? Microsoft Ignite 2016 10/9/2017 8:18 AM What is Azure AD Connect? Primary tool to onboard to Azure AD Express Settings gets customers connected in a matter of minutes Provides install & configuration of Identity Components In the past… Now we have… Azure AD Connect DirSync Azure AD Sync Sync FIM + Azure AD Connector ADFS PTA/DSSO ADFS Health © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Dirsync / AAD Sync Deprecated April 13, 2016 Microsoft Ignite 2016 10/9/2017 8:18 AM Dirsync / AAD Sync Deprecated April 13, 2016 Support Ends April 13, 2017 Upgrade Today © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Synchronized Identity Model Microsoft Office 10/9/2017 Synchronized Identity Model © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Synchronized Identity Model Microsoft Ignite 2015 10/9/2017 8:18 AM Synchronized Identity Model Password hashes User accounts Synchronized identity Azure AD Sync On-premises directory Sign-on User © 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Password Security Extra Security Azure AD On-premises directory Hash User Password On-premises directory p

Federated Identity Model Microsoft Office 10/9/2017 Federated Identity Model d © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Federated identity model Microsoft Ignite 2015 10/9/2017 8:18 AM Federated identity model Password hashes User accounts Federated identity Azure AD Sync AD FS Sign-on Authentication On-premises directory User Authentication d © 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Federated Sign-In Scenarios Workstation On Corp Domain Off Corp Domain Inside Corp Network Single Sign On Windows Authentication Public Internet HTML Login Page

Password Sync Backup for Federated Sign-In Microsoft Ignite 2015 10/9/2017 8:18 AM Password Sync Backup for Federated Sign-In Federated identity Backup Password Hash Sync User accounts AD FS Azure AD Sync On-premises directory d © 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Pass Through Authentication Microsoft Office 10/9/2017 Pass Through Authentication d © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Azure AD Pass-through Authentication(Preview) Microsoft Ignite 2016 10/9/2017 8:18 AM Azure AD Pass-through Authentication(Preview) Clients sign in On-Premises without ADFS No password hash sync required Uses AAD Application Proxy Infrastructure © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

How does PTA work? Contoso Corpnet DC Azure AD STS Azure AD STS Polling 2 Username and password sent to the connector User Name and password Azure AD STS Azure AD STS 1 2 8 7 Connector notified of request Result returned back to AAD STS Token returned to use or further proofs (MFA) are initiated 3 6 Connector returns result Contoso Corpnet Connector Connector validates the credentials against AD 4 5 DC DC returns result

Supported Scenarios Rich Clients that utilize modern authentication Microsoft Ignite 2016 10/9/2017 8:18 AM Supported Scenarios Rich Clients that utilize modern authentication Browser Based passive Web Flows © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

What’s the experience? Identical to Password Hash Sync Microsoft Ignite 2016 10/9/2017 8:18 AM What’s the experience? Identical to Password Hash Sync © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

What do I need to expose? NOTHING Zero ports to open. Zero services that need to be exposed via Public IP

Demo: Pass Through Authentication

Picking an identity model Microsoft Ignite 2015 10/9/2017 8:18 AM Picking an identity model Synchronized ID Directory sync with password sync On-premises identity Federated ID On-premises identity Directory sync Federation Pass Thru Auth On-premises identity Directory sync PTA Agent © 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Considerations for choosing auth options Password Hash Synchronization (with SSO(preview)) ADFS Pass-through Authentication with SSO (Preview) Where does the authentication happen? In the cloud On-premises Where does the user enter the credentials? On-premises (through proxy in DMZ) In the cloud (transmitted securely to on-premises agent) Is there any on-premises infrastructure needed beyond Azure AD Connect? No Yes – At least 2 ADFS servers and 2 proxies in DMZ Yes – 1 or more lightweight agents that can be installed on any existing servers (including DCs) with no DMZ requirements Do my users get single sign-on to cloud resources from domain-joined devices within company network? Yes (with SSO feature that is in preview or with AAD-join*) Yes Yes (with SSO feature that is in preview) *AAD-join is only supported on Windows 10

Considerations for choosing auth options Password Hash Synchronization (with SSO(preview)) ADFS Pass-through Authentication with SSO (Preview) What login types does it support? U/P, Win10/Hello U/P, WIA, Cert-based auth, SmartCard, U/P What MFA options do I have? Azure MFA Azure MFA, Azure On-premises MFA, 3rd party MFA (RSA, Safenet, HID Global, Symantec,…) What Conditional Access options do I have? Azure AD Conditional Access Azure AD Conditional Access as well as additional on-premises levers Does it support alternate login ID? Yes Not Currently Does it support legacy application & EAS clients? No

When to choose “Synchronised” Existing User Accounts Save credentials in Credential Manager Outlook does not support SSO Recommended approach Syncronised identity d

When to choose “Federated” Microsoft Ignite 2015 10/9/2017 8:18 AM When to choose “Federated” ADFS Already Deployed Third Party IdP On-Premises MFA / Smart Card Requirement Audit Sign-in / Immediately Disable Users Client Sign in Restrictions Policy preventing Password Sync Hybrid Search Federated identity d © 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

When to choose “Pass Through” Microsoft Ignite 2015 10/9/2017 8:18 AM When to choose “Pass Through” Don’t want ADFS Infrastructure & Don’t want to sync passwords High Availability without a Load Balancer Audit Sign-in / Immediately Disable Users Policy preventing Password Sync Pass Through d © 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Recommendation Choose the simplest model that meets your requirements Microsoft Ignite 2015 10/9/2017 8:18 AM Recommendation Choose the simplest model that meets your requirements d © 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Desktop Single Sign On (preview)

Desktop SSO Single Sign on without cost of ADFS Microsoft Ignite 2016 10/9/2017 8:18 AM Desktop SSO Single Sign on without cost of ADFS Utilizes existing AD infrastructure Supported for both PTA and PHS *In Preview, users still have to enter UPN © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Desktop SSO Microsoft Ignite 2016 10/9/2017 8:18 AM © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

How does it work - Setup Azure AD Contoso Corpnet DC Microsoft Ignite 2016 10/9/2017 8:18 AM How does it work - Setup Azure AD Kerberos key stored securely in Azure AD 2 GPO to set Intranet zone 3 1 DC Machine Account created in on-prem AD Contoso Corpnet © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

How does it work - Runtime Microsoft Ignite 2016 10/9/2017 8:18 AM How does it work - Runtime AAD STS User enters their username 1 5 User sends ticket to AAD STS 6 AAD STS returns token to the user 401 response to get a Kerberos ticket 2 4 AD returns Kerberos ticket User requests a Kerberos ticket 3 DC Contoso Corpnet © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Ensuring Clients Sign In Automatically Requires sites added to Intranet Zone

Seamless Sign-In Scenarios Workstation On Corp Domain Off Corp Domain Inside Corp Network Single Sign On Fall back to HTML Login Page Public Internet HTML Login Page

Demo: Desktop SSO Mark Rhodes d

Kerberos Token Why is this important?

Azure AD Connect Auto-Upgrade Microsoft Ignite 2016 10/9/2017 8:18 AM Azure AD Connect Auto-Upgrade © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

AAD Connect – Auto-upgrade Microsoft Ignite 2016 10/9/2017 8:18 AM AAD Connect – Auto-upgrade Introduced in Jan 2016 Build Enabled by default for express installations and DirSync upgrades When a new version is released, your installation is automatically upgraded. © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Summary Cloud Identity Scenarios and New Features Microsoft Ignite 2016 10/9/2017 8:18 AM Summary Cloud Identity Scenarios and New Features Ease of AAD Connect Installation Choose simplest model for your requirements © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Questions? marhod@microsoft.com

Q&A

Continue your Ignite learning path 10/9/2017 8:18 AM Continue your Ignite learning path Visit Channel 9 to access a wide range of Microsoft training and event recordings https://channel9.msdn.com/ Head to the TechNet Eval Centre to download trials of the latest Microsoft products http://Microsoft.com/en-us/evalcenter/ Visit Microsoft Virtual Academy for free online training visit https://www.microsoftvirtualacademy.com © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

10/9/2017 8:18 AM Thank you Chat with us in the Speaker Lounge Find us @MRhodes and @BrianFarnhill © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.