Microsoft Ignite 2015 4/16/2017 4:55 PM © 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

BRK3871 What’s New in Active Directory Domain and Federation Services in Windows Server 2016 Samuel Devasahayam @MrADFS

Identity as the foundation Build 2012 4/16/2017 Identity as the foundation Azure AD Connect Self-service Single sign on ••••••••••• Username Other Directories Windows Server Active Directory On-premises Cloud SaaS Azure Office 365 Public cloud Microsoft Azure Active Directory

Agenda Looking at it from the perspective of our scenarios… Enhance the hybrid identity story Secure Access with MDM integration Build Modern Applications with OpenID Connect & OAuth Enable Sign-in Experience that is simple and seamless Enhance security with AD Domain Services Keeping Time …

Building a flexible hybrid solution

On-boarding to Azure AD & Office 365 4/16/2017 On-boarding to Azure AD & Office 365 Azure AD Connect DirSync Azure AD Sync FIM+Azure AD Connector Sync Engine Azure AD Connect Consolidated deployment assistant for your identity bridge components Express Settings Multi-forest support Password # Sync Streamlined fed setup with ADFS Configurable Sync settings ADFS ADFS ADFS is optional, can addresses complex enterprise deployments Domain Join SSO, Enforcement of AD login policy, Smart Card or 3rd party MFA BRK3862: Extending On-Premises Directories to the Cloud Made Easy with Azure AD Connect http://blogs.technet.com/b/ad/archive/2014/12/15/azure-ad-connect-one-simple-fast-lightweight-tool-to-connect-active-directory-and-azure-active-directory.aspx © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

What about users in LDAP directories? Enable login to Azure AD/Office 365 or other ADFS apps for users stored in LDAP directories Consolidate app authentication and authorization across different account stores Supports any LDAP v3 directory Support across sync and sign-in coming to Azure AD Connect at a later date Azure AD Cloud SaaS Azure Office 365 Partner Resources ADFS LOB Apps LDAP Directories ADDS

LDAP v3 Directory Authentication with ADFS Each LDAP directory is modeled as a ‘Local’ Claims Provider Trust (just like Active Directory) Shows up as another CP in the home realm discovery for passive authentication You can augment claims for user after authentication by modifying CP rules Can restrict scope of directory based on OU Login ID can be any attribute. Just needs to be unique in the directory An untrusted AD forest can be modeled as an LDAP directory. Good first step integration in mergers & acquisitions without enabling forest trust. Easier integration with DMZ forests that only have 1-way trust For Office 365 CP trust must be configured with unique login suffixes on the CP Trust (needed for WS-Trust based authentication like EAS)

Office 365 login with LDAP accounts Demo

LDAP v3 Directory Configuration Step 1: Configure connection to LDAP directory $DirectoryCred = Get-Credential $vendorDirectory = New-AdfsLdapServerConnection –HostName dirserver –Port 50000 –SslMode None –AuthenticationMethod Basic –Credential $DirectoryCred Step 2: (Optional): Map LDAP attributes to claims for authenticated users #Map given name claim $GivenName = New-AdfsLdapAttributeToClaimMapping –LdapAttribute givenName –ClaimType “http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname” # Map surname claim $Surname = New-AdfsLdapAttributeToClaimMapping –LdapAttribute sn –ClaimType “http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname” # Map common name claim $CommonName = New-AdfsLdapAttributeToClaimMapping –LdapAttribute cn –ClaimType “http://schemas.xmlsoap.org/claims/CommonName”

LDAP v3 Directory Configuration Step 3: Register store with ADFS as a local claims provider Add-AdfsLocalClaimsProviderTrust –Name “Vendors” –Identifier “urn:vendors” –Type Ldap # Connection info -LdapServerConnection $vendorDirectory # How to locate user objects in directory –UserObjectClass inetOrgPerson –UserContainer “CN=VendorsContainer,CN=VendorsPartition” –LdapAuthenticationMethod Basic # Claims for authenticated users –AnchorClaimLdapAttribute mail –AnchorClaimType “http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn” –LdapAttributeToClaimMapping @($GivenName, $Surname, $CommonName) # General claims provider properties –AcceptanceTransformRules “c:[Type != ‘”’”] => issue(claim=c);” –Enabled $true # Optional – supply user name suffix if you want to use Ws-Trust –OrganizationalAccountSuffix “vendors.contoso.com”

Moving from 2012R2 to 2016 gets easier! Just ‘join’ server vNext to the farm Farm acts in ‘compat’ mode Validate existing functionality Add more nodes Wean off load against older version by removing them from the load balancer Upgrade the farm version Roll back supported Use the new features! Remove old version nodes WAP WAP Load Balancer ADFS (Primary) ADFS (Secondary) Farm Level: vNext Farm Level: 2012R2

Azure AD Connect Health Monitor ADFS service for reliable & highly available authentication Email notification for critical alerts Analyze ADFS logins for usage & capacity planning based on app, authentication, network location & failures Perform forensic analysis on top users with bad passwords Troubleshoot with easy access to critical performance counters “After migrating from ADFS 2.0 to ADFS 3.0, Azure AD Connect Health helped us identify critical issues with our system such as missing QFEs, connectivity issues and missing certificates or certificate expirations. The service is very user friendly and helpful for keeping the health of the federation service in check.” – Fortune 500 Consulting Organization

Conditional Access with MDM integration

Introducing ‘Conditional Access Control’ User attributes User identity Group memberships Auth strength (MFA) Devices Authenticated MDM Managed (Intune) Compliant with policies Not lost/stolen Application Business sensitivity Conditional access control Other Inside corp. network Outside corp. network Risk profile On-Premises applications

Access Control Policies Demo

Device Registration with the Azure AD Device Registration Service Contoso dan@contoso.com Contoso dan@contoso.com Discover & Authenticate The device connects to the Azure AD Device Registration service to look up the service information, registration endpoints, and authentication requirements. The device connects to Azure AD where the user is authenticated using the authentication requirements that were discovered in the first step. Azure AD issues an access token for the Azure AD Device Registration Service. Registration The client generates a key pair and certificate signing request. The key and certificate are stored in the local Microsoft keychain. The key is generated and stored in a Trusted Platform Module (TPM) if available on the device. The device sends the AAD issued access token and certificate signing request to the Azure AD Device Registration Service. Registration (continued) The service signs the certificate request using a self-signed service certificate. A device object is created in Azure Active Directory. The device object represents the registered user on the device. Device Write-back The device object is written back to Active Directory via Azure AD Connect. ADFS consumes device objects for device authentication and conditional access to applications that trust ADFS. On-premises Azure Azure Active Directory user @ device Azure AD Connect Active Directory Azure AD Device Registration ADFS Signed with service certificate Intune

Device Conditional Access Enable Access only from devices that are managed and/or compliant Support for restricting access to corporate ‘joined’ PC’s Windows 10 joined devices (Domain Join & AAD Join) will have integrated experiences as part of their join process Support for Win7/Win8.1 domain joined PC’s via group policy based deployment Revocation of Access & SSO when device attributes change User prompted for fresh credentials or denied access

Access Control Policies Templates to simplify applying similar policies across multiple applications Parameterized templates to support assigning different values for access control (e.g. Security Group) Simpler UI with additional support for many new conditions Conditional Predicates Security Groups Networks (inside, outside, IP range) Device Trust Level (Authenticated, Managed, Compliant) Require MFA

Delegated Service Management Separation between server administrators and ADFS service administrators No requirement to be local server administrator any more! Standard security groups can be assigned as admins Admin configured to allow local system and local admin for service management

Audits Enhancements Schematized Audits Fewer but comprehensive audits Schematized for easy parsing Fewer but comprehensive audits Reduces # of audits for logon from ~80 to <3 Turned on by default in a ‘new’ farm Existing audits are enabled in ‘verbose’ mode for backward compatibility

Build Modern Applications

Authentication Protocols WS-Fed, SAML 2.0, OpenID Connect OAuth 2.0 (OBO) Browser Web application Web API OAuth 2.0 Native app OAuth Web API Web API Server app Oauth (OBO) OAuth 2.0 Standard-based, http-based protocols for maximum platform reach

OAuth in ADFS vNext Windows Server 2012 R2 Additional Profiles Authorization Grant profile Public Clients only Additional Profiles Implicit flow to support single page applications (say using angular.js) Resource Owner password for scripting apps OBO support Enable multi-tier applications to pass on user context to back end services Token ID token support Confidential Client Auth Symmetric Keys Asymmetric Keys Windows Accounts Secure Device authentication Provides protection from roaming attacks Avoids TLS where certificate prompts don’t work

OpenID Connect Enable apps (e.g. MVC) with web front end as well as WebAPI back end Returns authorization code to web application which is exchanged for tokens & refresh tokens Support for OpenIDConnect Discovery Scopes Defines a resource group within an application Permissions Assignment of scopes for ‘client’ to access ‘service’ application

OpenID Connect Demo

Enhanced Sign-In Experiences

App Branding with per-RP Customization Modify Sign-in page descriptions to have specific language/links for a RP Modify images (e.g. illustration & logo) to align with RP specific branding Modify JavaScript via onload.js to control UI elements that are RP specific Easier management using custom web theme to have a similar look & feel across a set of RP’s

Per-RP customization Demo

Per-RP Customization Examples 4/16/2017 4:55 PM Per-RP Customization Examples # Modify the sign-in page description for a specific RP Set-AdfsRelyingPartyWebContent –SignInPageDescription “Hello, you are signing into the Finance app. You will be prompted for additional credentials” # Modify illustration image or logo to show RP branding Set-AdfsRelyingPartyWebTheme -Name "Who Am I" -Illustration @{path="C:\Images\illustration.colorcrayons.jpg"} –Logo @{path=“C:\Images\rp1logo.png”} # Use specific JavaScript using customized onload.JS to handle UI element changes on a per applications basis Set-AdfsRelyingPartyWebTheme -Name "Who Am I" -OnLoadScriptPath @{path="c:\scripts\adfstheme\onload.js"} © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Device Authentication as Primary Device authentication now supported for primary authentication that recognizes user & device Simpler sign-in from devices Enables elimination of exposure of username/password on intranet

AD FS: Certificate Proxy Authentication Enable seamless access to Azure Remote App without having to resign into the VM session Enables hybrid scenarios where cloud service can talk to on-premises services as the user without KCD How does it work? ADFS acts as a registration authority to existing ADCS PKI infrastructure (OR) ADFS can act as it’s own Certificate Authority trusted by AD DS Client makes a call to ADFS via OAuth extension to request for a certificate Confidential clients provide ADFS token for the user and get back a cert

Enhance Security with AD Domain Services

Time-limited group memberships 4/16/2017 Time-limited group memberships Users can be added to a security group with time-to-live (TTL) When the TTL expires, the user’s membership in that group disappears Kerberos token lifetime will be determined by TTL of the user’s memberships TGT based on shortest group membership ST based on TGT and resource local domain group membership Requires new FFL Scavenger thread takes care of cleaning up group memberships Member: <TTL,user-DN> Group User TGT: Shortest group lifetime ST: Shortest of TGT and resource local domain group © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

JIT forest Create new Server 2016 forest No need to change existing forest Create new ‘PIM’ trust to existing forest Add shadow principals in new forest Shadow group which is new object class created in config NC. Unlike security group, the security identifier (SID) with a domain in another forest Add shadow admin user Remove admins from existing groups PIM system manages TTL groups Workflow to add shadow user to shadow admin group Existing Forest JIT Forest PIM Forest Trust TTL group membership PIM

Support for Windows ‘10’ devices Enable secure login to Windows with Microsoft Passport Passport is strong credential bound to the device, is TPM protected and can be attested Similar to virtual smartcards but without the certificate encoding for the keys New domain controller support to authenticate with secure Microsoft Passport credentials Requires one or more domain controllers in user domains to be Windows Server 2016 (no DFL) Provisioning of Microsoft Passport credentials for on- premises only customers Microsoft Passport provisioning enabled on ADFS servers NOTE: Hybrid customers will use Azure AD for provisioning SSO to applications protected by ADFS Login to Win 10 devices results in priming of Primary Refresh Token (PRT) for SSO to apps protected by ADFS

Keeping Time

Time Synchronization Current accuracy (100’s of ms) does not meet many modern needs Applications such as video game rendering or stock trading require highly accurate time Improvements Elimination of rounding errors while calculating time More frequent fine tuned adjustments leading to better accuracy More accurate time server estimation Leading to accuracy within 10’s of micro seconds

Microsoft Mobility Quest Liked what you saw? Experience it and win Visit our booth Check out our solutions Complete our missions ….You are entered to win! www.msmobilityquest.com

Ignite Azure Challenge Sweepstakes 4/16/2017 4:55 PM Ignite Azure Challenge Sweepstakes Attend Azure sessions and activities, track your progress online, win raffle tickets for great prizes! Aka.ms/MyAzureChallenge Enter this session code online: “NGFC” (10) - Microsoft Surface Pro 3 Core i5 256GB (30) – Xbox One Master Chief Collection Bundle (55) – Microsoft Band Offers throughout the week NO PURCHASE NECESSARY. Open only to event attendees. Winners must be present to win. Game ends May 9th, 2015. For Official Rules, see The Cloud and Enterprise Lounge or myignite.com/challenge © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Related Content BRK3863: Identity and Access Management Everywhere 4/16/2017 4:55 PM Related Content BRK3863: Identity and Access Management Everywhere BRK3851: Real Customer Stories for Azure Active Directory Premium BRK3862: Extending On-Premises Directories to the Cloud Made Easy with Azure AD Connect BRK3864: Enable Your On-Premises Apps for the Cloud with Microsoft Azure AD Application Proxy BRK3865: How Microsoft Azure AD Helps Prevent, Detect and Remediate Attacks to Your Enterprise BRK3867: Microsoft Identity Platform for Developers: Overview and Roadmap BRK3854: How Microsoft IT Manages Identity in a Hybrid Cloud World BRK3332: Microsoft Azure Active Directory and Windows 10: Better Together for Work or School BRK4850: Developing Web and Cross Platform Mobile Apps with Azure Active Directory BRK3873: Protecting Windows and Microsoft Azure AD with Privileged Access Management BRK3857: Upgrading from FIM to Microsoft Identity Manager and Azure Active Directory © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Ignite Azure Challenge Sweepstakes 4/16/2017 4:55 PM Ignite Azure Challenge Sweepstakes Attend Azure sessions and activities, track your progress online, win raffle tickets for great prizes! Aka.ms/MyAzureChallenge Enter this session code online: BRK3871 NO PURCHASE NECESSARY. Open only to event attendees. Winners must be present to win. Game ends May 9th, 2015. For Official Rules, see The Cloud and Enterprise Lounge or myignite.com/challenge © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Please evaluate this session 4/16/2017 4:55 PM Please evaluate this session Your feedback is important to us! Visit Myignite at http://myignite.microsoft.com or download and use the Ignite Mobile App with the QR code above. © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

4/16/2017 4:55 PM © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.