1. Learn how Unilever modernized IT with Azure AD at the core
BRK2210
Learn how Unilever modernized IT with Azure AD at the core
Robert Walsh – Unilever
Holly Lockhart – Unilever
Mark Morowczynski – Microsoft

2. UNILEVER IS A GLOBAL COMPANY
EUROPE
€13.6 BILLION TURNOVER
2.6% UNDERLYING SALES GROWTH
26% OF GROUP TURNOVER
THE AMERICAS
€17.3 BILLION TURNOVER
0.4% UNDERLYING SALES GROWTH
32% OF GROUP TURNOVER
ASIA/AMET/RUB
€22.4 BILLION TURNOVER
3.0% UNDERLYING SALES GROWTH
42% OF GROUP TURNOVER
2015 TURNOVER = €53.3 BN

4. IT Scale: Perspective Users Operating Environment
100k+ IT users in 190+ countries
Office 365 licenses – 102K
Azure AD Premium licenses – 107K
Intune licenses – 60K
Operating Environment
Desktops, Laptops, Thin clients & Mobile devices
Support 23 Languages
Windows 7, Window 8.x, Windows 10 & Mac
One build globally for each platform
Active evergreen program
Mobile support: iOS, Android & Windows phone

5. Why we started… We needed to be more dynamic in response to changing end user needs

6. Design Goals
Mindset: Deploy a scalable framework that provided for integrated secure identification and access
Leverage cloud to drive efficiencies & reach
Support an anywhere at any time working framework
Mobile First (applications needed to be available to mobile devices)
Improve the user experience (simplifying security and access requirements)
Improved security and usage tracking

7. Platform management End to end management considerations
Solution Architecture
Application Management
Governance
Adoption and productivity is measurable
Financials – have to stack up..
Solutions: building to scale and ability to change
Evolution as a mindset
Identity and access core
Security is at heart
Sustainability – reducing our footprint , non negotiable
Service Delivery
Service Performance and Service management is paramount

8. Technology Selections
Microsoft Technology Supporting the Design Goals
Office 365
ADFS 3.0/Azure Active Directory as the Identity Provider – extending the reach
Azure MFA – strengthening security
Device Conditional Access – improving user experience
Azure AD Connect

9. Leveraging the cloud… Easier said than done

10. Office 365 for the Enterprise
Office 365 Prerequisites
Office 2013 to the masses
Most had Office 2007
App remediation
Office 365 licensing via FIM
Office 365 Deliverables
Exchange hybrid setup
EXO migration - 100K+ mailboxes
OneDrive deployment
SP2010 to SPO
Challenges
Migrations from old to new environments

11. Office 365 for the Enterprise
More Office 365 Prerequisites
Dir Sync implemented
Soon replaced with FIM Sync  Azure AD Connect
Azure AD tenant created
Was just part of Office 365 to start
Learned what else we could do with it
Challenges
Lack of granular admin roles in Azure AD
Many people with unneeded access….
Implemented PIM to mitigate the risk:
Admins creating admins
Full time admin accounts
MFA required to enable admin rights
Improved audit reporting of admin actions

12. Identity takes center stage

13. Azure AD provided the venue to manage cloud identities
Identity Management
ADFS 3.0 – Identity provider
Pre work: Wake up call that identity attributes needed to be accurate (cleaning of AD)
Enabled
Logins to be managed effectively
Integrated advanced security features
IT to recognize and manage internal and external identities and provide the right level of access
Challenges
Moving from ADFS 2.0 to 3.0
Azure AD provided the venue to manage cloud identities

14. ADFS 2.0 apps migrated Priority Order Challenges Azure AD Marketplace
Azure AD Custom (BYOA)
ADFS 3.0 (Internal users only – limiting)
Initial 60+ apps transitioned
Now we have over 200 in Azure AD!
Challenges
Azure AD SSO Marketplace apps are needed !!!
Educating app owners and app vendors
MS tools to manage apps

15. App Proxy : on-premises & AWS app access
Before – needed VPN for almost everything
No VPN for mobile
SP2010 Corporate Home page moved to SPO
App proxy used to connect to SP2010 on premise
Old homepage had many links to on-premises apps so app proxy for all of them too
Seamless experience between the two platforms
Two connector groups
Another set of App Proxy Connectors in AWS
75 apps at last count

16. Security moves into front seat

17. Azure MFA Azure MFA Challenges Enabled 2 factor authentication
Deployed on premises Azure MFA Servers
Deployed Azure MFA for new cloud identities
Security became a focused event for the end user community
Challenges
Multiple MFA instances required
Another move, ADFS 2016, future consolidation
Variances in working environments (office & factory)
Areas that did not provide for cell coverage
Lack of Mac OS support initially
User experience – too many challenges

18. November 23, 2015

19. Nov 23, 2015 – Workday go-live (100K+)
Big bang cutover – always a bigger risk
Global HR systems all at once
1st MFA app
1st conditional access app - when not on corporate network
1st Azure AD Marketplace SaaS app
Introduced Azure AD only identities with new domain
Introduced SSPR for Azure AD managed accounts
Variety of kiosk machines at the sites

20. Met Security mandate but... We had to make it better

21. Conditional Access Microsoft Intune Challenges
Azure AD Connect was a prerequisite
Enabled IOS, Android and Windows phone devices to be managed
Integrated enrollment approach enforcing MFA during enrollment
Option to manage devices (MDM) or just applications (MAM) for BYOD
Challenges
User adoption: device enrollment is depend on the end user. Less MFA challenges with conditional access can be the incentive.
Keeping up with device OS changes
Differing ways of working
Various Android models and capabilities
Education: how and why security is a mandate

22. Trusted Device as 2nd Factor - PSSO
Workplace Join
FIM sync -> Azure AD Connect
Device write back
Challenges
Windows 10 – its different
Still looking for a way to provide this to the Macs – Intune not chosen for Macs
Number of Macs are growing so pressure is growing

23. Unilever’s Journey In Summary
Office 365
DirSync
FIM Sync
Azure AD
App Proxy PIM
MFA
ADFS 3.0
AADP
Per-app CA
Workday
SaaS apps
Azure AD only accounts
Azure MFA
SSPR
Workplace Join
Intune MDM
Azure AD Connect
Azure Device Registration
Device write back
Additional Win10 requirements

24. Change is the new norm!

25. What’s Next Upgrade & right size on-premises Exchange
Group management strategy
Get to one MFA with ADFS 2016
Additional Azure AD managed account scenarios
B2B Collaboration
FIM to Azure AD SSPR for federated accounts
Identity Protection

26. Design Goals
Mindset: Deploy a scalable framework that provided for integrated secure identification and access
Leverage cloud to drive efficiencies & reach
Support an anywhere at any time working framework
Mobile First (applications needed to be available to mobile devices)
Improve the user experience (simplifying security and access requirements)
Improved security and usage tracking

27. Advice to others What we wish we knew Benefits of early adoption
It is important to connect with Application vendors early
Two factor authentication was not widely understood
Microsoft Product Group contacts is critical to success
Benefits of early adoption
Getting to influence priorities for delivery
All of us figuring it out as we go along
Sometimes finding bugs, but able to work through the issues. (executive support important)
Also means we deliver a better solution to our users!!!!

28. Questions

29. Free IT Pro resources To advance your career in cloud technology
Microsoft Ignite 2016
7/2/2018 2:04 PM
Free IT Pro resources To advance your career in cloud technology
Plan your career path
Microsoft IT Pro Career Center
Cloud role mapping
Expert advice on skills needed
Self-paced curriculum by cloud role
$300 Azure credits and extended trials
Pluralsight 3 month subscription (10 courses)
Phone support incident
Weekly short videos and insights from Microsoft’s leaders and engineers
Connect with community of peers and Microsoft experts
Get started with Azure
Microsoft IT Pro Cloud Essentials
Demos and how-to videos
Microsoft Mechanics
Connect with peers and experts
Microsoft Tech Community
© 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

30. Please evaluate this session
7/2/2018 2:04 PM
Please evaluate this session
Your feedback is important to us!
From your PC or Tablet visit MyIgnite at
From your phone download and use the Ignite Mobile App by scanning the QR code above or visiting
© 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.