Microsoft Ignite 2016 5/17/2018 12:48 AM BRK3330 Join your Windows 10 devices to Azure AD for anywhere, anytime productivity Jairo Cadena Senior Program Manager @JairoC_AzureAD jairocadena.com © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

63% 80% 0.6% Mobile-first, cloud-first reality Data breaches Shadow IT 63% of confirmed data breaches involve weak, default, or stolen passwords. 63% Shadow IT More than 80 percent of employees admit to using non-approved software as a service (SaaS) applications in their jobs. 80% 0.6% IT budget growth Gartner predicts global IT spend will grow only 0.6% in 2016.

Identity as the core of enterprise mobility Build 2012 5/17/2018 Identity as the core of enterprise mobility Simple connection SaaS Azure Public cloud Cloud On-premises Other directories Windows Server Active Directory Self-service Single sign-on Microsoft Azure Active Directory

Azure Active Directory Microsoft Confidential NDA Only 5/17/2018 Azure Active Directory 90% of Fortune 500 companies use Microsoft Cloud (Azure, O365, CRM Online, and PowerBI) Azure AD Directories >10 M More than 750 M user accounts on Azure AD Microsoft “Identity Management as a Service (IDaaS)” for organizations. Millions of independent identity systems controlled by enterprise and government “tenants.” Information is owned and used by the controlling organization—not by Microsoft. Born-as-a-cloud directory for Office 365. Extended to manage across many clouds. Evolved to manage an organization’s relationships with its customers/citizens and partners (B2C and B2B). 33,000 Enterprise Mobility + Security | Azure AD Premium enterprise customers >110k third-party applications used with Azure AD each month >1.3 billion authentications every day on Azure AD Every Office 365 and Microsoft Azure customer uses Azure Active Directory © 2015 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Identity and access management in the cloud Azure Active Directory. Identity at the core of your business Cloud-powered protection Enable business without borders Manage access at scale 1000s of apps, 1 identity Provide one persona to the workforce for SSO to 1000s of cloud and on-premises apps Stay productive with universal access to every app and collaboration capability Manage identities and access at scale in the cloud and on-premises Ensure user and admin accountability with better security and governance

The current reality On-premises Managed devices Active Directory 5/17/2018 The current reality EC2 On-premises Managed devices Active Directory © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Azure AD in Windows 10 & work accounts Microsoft Ignite 2016 5/17/2018 12:48 AM Azure AD in Windows 10 & work accounts Single Sign-On to Office 365, SaaS and enterprise apps Allow access only to devices compliant with org. policy Users Admins © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Azure AD in Windows 10 & work accounts Microsoft Ignite 2016 5/17/2018 12:48 AM Azure AD in Windows 10 & work accounts Single Sign-On to Office 365, SaaS and enterprise apps Allow access only to devices compliant with org. policy Enterprise settings and work data across joined devices Piece of mind settings and work data in compliant cloud Users Admins © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Azure AD in Windows 10 & work accounts Microsoft Ignite 2016 5/17/2018 12:48 AM Azure AD in Windows 10 & work accounts Single Sign-On to Office 365, SaaS and enterprise apps Allow access only to devices compliant with org. policy Enterprise settings and work data across joined devices Piece of mind settings and work data in compliant cloud Users Admins Convenience of access with Windows Hello for Business Reduce risk of credential theft by not using passwords © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Azure AD in Windows 10 & work accounts Microsoft Ignite 2016 5/17/2018 12:48 AM Azure AD in Windows 10 & work accounts Single Sign-On to Office 365, SaaS and enterprise apps Allow access only to devices compliant with org. policy Enterprise settings and work data across joined devices Piece of mind settings and work data in compliant cloud Users Admins Convenience of access with Windows Hello for Business Reduce risk of credential theft by not using passwords Access to enterprise apps via Windows Store for Business Offer specific enterprise applications to users © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

User joins device to Azure AD and gets access to Office 365 Microsoft Ignite 2016 5/17/2018 12:48 AM User joins device to Azure AD and gets access to Office 365 Demo © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Azure AD AD corp.contoso.com Device contoso.com Win32 apps Rich client apps Web servers Azure AD Proxy apps Browser, web apps Edge / IE Office workloads SaaS apps Office apps Office apps File/Print servers Office 365 Svc ticket Token Svc ticket Token Token? Creds Azure AD AD IWA stack Web Accnt Manager TGT > ST PRT Token TGT PRT Cert STK Creds > TGT Kerberos AP Credential Provider Cloud AP Creds Creds Creds PRT user user computer device corp.contoso.com Device contoso.com Password Certificate STK

Windows 10 devices in Azure AD Mobile devices Domain joined Azure AD joined Workplace joined Personal devices Work-owned devices

Admin secures Office 365 by allowing access to compliant devices only Microsoft Ignite 2016 5/17/2018 12:48 AM Admin secures Office 365 by allowing access to compliant devices only Demo © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Deployment considerations

Preparing devices for work with Azure AD Domain joined devices Automatically register with Azure AD once requirements are set Device is not associated with a user in Windows 10 Azure AD Connect for registration and lifecycle management of computers and devices Windows Installer package for non-Windows 10/Windows Server 2016 computers Mobile devices Device registers by an end-user initiated experience Device is associated with user Experience registers device with Azure AD and enrolls it with MDM Alternative for personal devices is to use Mobile Application Management (MAM)

Preparing devices: domain joined Requirements Service Connection Point for discovery (all Windows versions!) If federated, issuance transform rules for computer authentication upon registration Windows Installer package for non-Windows 10/Windows Server 2016 computers Windows 7, 8.0, 8.1, Server 2008 R2, Server 2012 and Server 2012 R2 Group Policy for roll-out of automatic registration Windows 10 Anniversary Update/Windows Server 2016 registers without policy set Windows 10 November 2015 Update requires the policy set to trigger registration Windows 8.1 responds to policy, can also use Windows Installer package Azure AD Connect Help with requirements setup – with caveats! Key for lifecycle management of computers and devices

Auto-registration to Azure AD Details @ https://jairocadena.com/2016/01/18/how-domain-join-is-different-in-windows-10-with-azure-ad/

Checking the registration state of a domain joined device Microsoft Ignite 2016 5/17/2018 12:48 AM Checking the registration state of a domain joined device Demo © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Access denied pages You can’t get there from here When policy is set for Domain joined required & device is not registered This application contains sensitive information and can only be accessed from: Contoso Inc. domain joined devices. Access from personal devices is not allowed. Please click here for more information or contact your administrator. More details More details The following information might be useful to your administrator: Access rules set by Contoso Inc. require device to be domain joined App name: Outlook 2016 Device Platform: Windows 10 Device State: non-registered IP address: 12.34.56.78 Signed in as bob@contoso.com Correlation ID: xxxxxxxxxxxxxxxxxxx Time stamp: xxxxxxxxxxxx OK

Access denied pages You can’t get there from here When multiple policy is set & device is not registered This application contains sensitive information and can only be accessed from: Contoso Inc. domain joined devices. Devices or client applications that meet Contoso Inc. management compliance policy. Please click here for more information or contact your administrator. If this is a personal device you can choose to let Contoso Inc. manage your device by going to Settings > Accounts > Access work or school and clicking in Connect. More details OK

Azure AD Connect SCP creation for discovery Express installation creates the SCP, if Custom needs to run a cmdlet Need to make sure SCP is created in all forests computers are Used for all versions of Windows, including down-level with the new Windows Installer package Issuance transformation rules in AD FS Both Express and Custom installations take care of them, except for all multi-forest rules Multi-forest rules needed for environments where computers can be in different forests Computers authenticate using Windows Integrated Authentication Write-back operations Device write-back for conditional access control on-premises MS Passport for Work credential on user for password-less auth against on-premises (DC and AD FS)

On-premises applications and access control In cloud: Azure AD Application Proxy You can publish on-premises apps through Azure AD They show in the ‘applications’ tab in the management portal You can set device-based CA policy to control access the same way as O365 apps On-premises: AD FS Require device write-back in Azure AD Connect AD FS in Windows Server 2016 required for Windows 10 authentication

Customer Stories Transportation, Logistics, Oil-Gas Retail, Hospitality and Travel Government, Banking, Insurance Construction, Professional Services Education – Nonprofit Health

Identity and Access Management Sessions 5/17/2018 12:48 AM Monday 02:15: BRK2139 Protect your business and empower your users with cloud Identity and Access Management Tuesday 12:30: BRK3107 Connect your on-premises directories to Azure AD and use one identity for all your apps 02:15: BRK3225 Secure access to Office 365, SaaS, and on-premises apps and files with Azure AD and Intune 04:30: BRK3109 Deliver management and security at scale to Office 365 with Azure Active Directory Wednesday 09:00: BRK3111 Manage productivity at scale with Azure Active Directory 11:30: BRK2170 Learn how Unilever modernized IT with Azure Active Directory at the core 02:15: BRK3139 Throw away your DMZ – Azure Active Directory Application Proxy deep-dive 04:00: BRK3181 Secure your web applications with Microsoft identity Thursday 09:00: BRK3252 Use managed domain services on Microsoft Azure 12:30: BRK3182 Secure your native and mobile applications with Microsoft identity and application management 02:15: BRK3110 Respond to advanced threats before they start - identity protection at its best! 04:00: BRK3179 Modernize your app’s consumer identity management with Azure AD B2C 04:30: BRK2067 Manage access to SaaS Applications With Azure Active Directory Friday 09:00: BRK3074 Discover what’s new in Active Directory Federation and Domain Services in Windows Server 2016 10:45: BRK3108 Share corporate resources with your partners using Azure AD B2B collaboration 12:30: BRK3330 Join your Windows 10 devices to Azure AD for anywhere, anytime productivity © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Please evaluate this session 5/17/2018 12:48 AM Please evaluate this session Your feedback is important to us! From your PC or Tablet visit MyIgnite at http://myignite.microsoft.com From your phone download and use the Ignite Mobile App by scanning the QR code above or visiting https://aka.ms/ignite.mobileapp © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

5/17/2018 12:48 AM © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.