Presentation is loading. Please wait.

Presentation is loading. Please wait.

Microsoft Ignite /16/2017 4:55 PM

Published byCora Holmes Modified over 9 years ago

Similar presentations

Presentation on theme: "Microsoft Ignite /16/2017 4:55 PM"— Presentation transcript:

1 Microsoft Ignite 2015 4/16/2017 4:55 PM
© 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

2 BRK3871 What’s New in Active Directory Domain and Federation Services in Windows Server 2016 Samuel Devasahayam @MrADFS

3 Identity as the foundation
Build 2012 4/16/2017 Identity as the foundation Azure AD Connect Self-service Single sign on ••••••••••• Username Other Directories Windows Server Active Directory On-premises Cloud SaaS Azure Office 365 Public cloud Microsoft Azure Active Directory

4 Agenda Looking at it from the perspective of our scenarios…
Enhance the hybrid identity story Secure Access with MDM integration Build Modern Applications with OpenID Connect & OAuth Enable Sign-in Experience that is simple and seamless Enhance security with AD Domain Services Keeping Time …

5 Building a flexible hybrid solution

6 On-boarding to Azure AD & Office 365
4/16/2017 On-boarding to Azure AD & Office 365 Azure AD Connect DirSync Azure AD Sync FIM+Azure AD Connector Sync Engine Azure AD Connect Consolidated deployment assistant for your identity bridge components Express Settings Multi-forest support Password # Sync Streamlined fed setup with ADFS Configurable Sync settings ADFS ADFS ADFS is optional, can addresses complex enterprise deployments Domain Join SSO, Enforcement of AD login policy, Smart Card or 3rd party MFA BRK3862: Extending On-Premises Directories to the Cloud Made Easy with Azure AD Connect © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

7 What about users in LDAP directories?
Enable login to Azure AD/Office 365 or other ADFS apps for users stored in LDAP directories Consolidate app authentication and authorization across different account stores Supports any LDAP v3 directory Support across sync and sign-in coming to Azure AD Connect at a later date Azure AD Cloud SaaS Azure Office 365 Partner Resources ADFS LOB Apps LDAP Directories ADDS

8 LDAP v3 Directory Authentication with ADFS
Each LDAP directory is modeled as a ‘Local’ Claims Provider Trust (just like Active Directory) Shows up as another CP in the home realm discovery for passive authentication You can augment claims for user after authentication by modifying CP rules Can restrict scope of directory based on OU Login ID can be any attribute. Just needs to be unique in the directory An untrusted AD forest can be modeled as an LDAP directory. Good first step integration in mergers & acquisitions without enabling forest trust. Easier integration with DMZ forests that only have 1-way trust For Office 365 CP trust must be configured with unique login suffixes on the CP Trust (needed for WS-Trust based authentication like EAS)

9 Office 365 login with LDAP accounts
Demo

10 LDAP v3 Directory Configuration
Step 1: Configure connection to LDAP directory $DirectoryCred = Get-Credential $vendorDirectory = New-AdfsLdapServerConnection –HostName dirserver –Port –SslMode None –AuthenticationMethod Basic –Credential $DirectoryCred Step 2: (Optional): Map LDAP attributes to claims for authenticated users #Map given name claim $GivenName = New-AdfsLdapAttributeToClaimMapping –LdapAttribute givenName –ClaimType “ # Map surname claim $Surname = New-AdfsLdapAttributeToClaimMapping –LdapAttribute sn –ClaimType “ # Map common name claim $CommonName = New-AdfsLdapAttributeToClaimMapping –LdapAttribute cn –ClaimType “

11 LDAP v3 Directory Configuration
Step 3: Register store with ADFS as a local claims provider Add-AdfsLocalClaimsProviderTrust –Name “Vendors” –Identifier “urn:vendors” –Type Ldap # Connection info -LdapServerConnection $vendorDirectory # How to locate user objects in directory –UserObjectClass inetOrgPerson –UserContainer “CN=VendorsContainer,CN=VendorsPartition” –LdapAuthenticationMethod Basic # Claims for authenticated users –AnchorClaimLdapAttribute mail –AnchorClaimType “ $Surname, $CommonName) # General claims provider properties –AcceptanceTransformRules “c:[Type != ‘”’”] => issue(claim=c);” –Enabled $true # Optional – supply user name suffix if you want to use Ws-Trust –OrganizationalAccountSuffix “vendors.contoso.com”

12 Moving from 2012R2 to 2016 gets easier!
Just ‘join’ server vNext to the farm Farm acts in ‘compat’ mode Validate existing functionality Add more nodes Wean off load against older version by removing them from the load balancer Upgrade the farm version Roll back supported Use the new features! Remove old version nodes WAP WAP Load Balancer ADFS (Primary) ADFS (Secondary) Farm Level: vNext Farm Level: 2012R2

13 Azure AD Connect Health
Monitor ADFS service for reliable & highly available authentication notification for critical alerts Analyze ADFS logins for usage & capacity planning based on app, authentication, network location & failures Perform forensic analysis on top users with bad passwords Troubleshoot with easy access to critical performance counters “After migrating from ADFS 2.0 to ADFS 3.0, Azure AD Connect Health helped us identify critical issues with our system such as missing QFEs, connectivity issues and missing certificates or certificate expirations. The service is very user friendly and helpful for keeping the health of the federation service in check.” – Fortune 500 Consulting Organization

14 Conditional Access with MDM integration

15 Introducing ‘Conditional Access Control’
User attributes User identity Group memberships Auth strength (MFA) Devices Authenticated MDM Managed (Intune) Compliant with policies Not lost/stolen Application Business sensitivity Conditional access control Other Inside corp. network Outside corp. network Risk profile On-Premises applications

16 Access Control Policies
Demo

17 Device Registration with the Azure AD Device Registration Service
Contoso Contoso Discover & Authenticate The device connects to the Azure AD Device Registration service to look up the service information, registration endpoints, and authentication requirements. The device connects to Azure AD where the user is authenticated using the authentication requirements that were discovered in the first step. Azure AD issues an access token for the Azure AD Device Registration Service. Registration The client generates a key pair and certificate signing request. The key and certificate are stored in the local Microsoft keychain. The key is generated and stored in a Trusted Platform Module (TPM) if available on the device. The device sends the AAD issued access token and certificate signing request to the Azure AD Device Registration Service. Registration (continued) The service signs the certificate request using a self-signed service certificate. A device object is created in Azure Active Directory. The device object represents the registered user on the device. Device Write-back The device object is written back to Active Directory via Azure AD Connect. ADFS consumes device objects for device authentication and conditional access to applications that trust ADFS. On-premises Azure Azure Active Directory device Azure AD Connect Active Directory Azure AD Device Registration ADFS Signed with service certificate Intune

18 Device Conditional Access
Enable Access only from devices that are managed and/or compliant Support for restricting access to corporate ‘joined’ PC’s Windows 10 joined devices (Domain Join & AAD Join) will have integrated experiences as part of their join process Support for Win7/Win8.1 domain joined PC’s via group policy based deployment Revocation of Access & SSO when device attributes change User prompted for fresh credentials or denied access

19 Access Control Policies
Templates to simplify applying similar policies across multiple applications Parameterized templates to support assigning different values for access control (e.g. Security Group) Simpler UI with additional support for many new conditions Conditional Predicates Security Groups Networks (inside, outside, IP range) Device Trust Level (Authenticated, Managed, Compliant) Require MFA

20 Delegated Service Management
Separation between server administrators and ADFS service administrators No requirement to be local server administrator any more! Standard security groups can be assigned as admins Admin configured to allow local system and local admin for service management

21 Audits Enhancements Schematized Audits Fewer but comprehensive audits
Schematized for easy parsing Fewer but comprehensive audits Reduces # of audits for logon from ~80 to <3 Turned on by default in a ‘new’ farm Existing audits are enabled in ‘verbose’ mode for backward compatibility

22 Build Modern Applications

23 Authentication Protocols
WS-Fed, SAML 2.0, OpenID Connect OAuth 2.0 (OBO) Browser Web application Web API OAuth 2.0 Native app OAuth Web API Web API Server app Oauth (OBO) OAuth 2.0 Standard-based, http-based protocols for maximum platform reach

24 OAuth in ADFS vNext Windows Server 2012 R2 Additional Profiles
Authorization Grant profile Public Clients only Additional Profiles Implicit flow to support single page applications (say using angular.js) Resource Owner password for scripting apps OBO support Enable multi-tier applications to pass on user context to back end services Token ID token support Confidential Client Auth Symmetric Keys Asymmetric Keys Windows Accounts Secure Device authentication Provides protection from roaming attacks Avoids TLS where certificate prompts don’t work

25 OpenID Connect Enable apps (e.g. MVC) with web front end as well as WebAPI back end Returns authorization code to web application which is exchanged for tokens & refresh tokens Support for OpenIDConnect Discovery Scopes Defines a resource group within an application Permissions Assignment of scopes for ‘client’ to access ‘service’ application

26 OpenID Connect Demo

27 Enhanced Sign-In Experiences

28 App Branding with per-RP Customization
Modify Sign-in page descriptions to have specific language/links for a RP Modify images (e.g. illustration & logo) to align with RP specific branding Modify JavaScript via onload.js to control UI elements that are RP specific Easier management using custom web theme to have a similar look & feel across a set of RP’s

29 Per-RP customization Demo

30 Per-RP Customization Examples
4/16/2017 4:55 PM Per-RP Customization Examples # Modify the sign-in page description for a specific RP Set-AdfsRelyingPartyWebContent –SignInPageDescription “Hello, you are signing into the Finance app. You will be prompted for additional credentials” # Modify illustration image or logo to show RP branding Set-AdfsRelyingPartyWebTheme -Name "Who Am I" # Use specific JavaScript using customized onload.JS to handle UI element changes on a per applications basis Set-AdfsRelyingPartyWebTheme -Name "Who Am I" © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

31 Device Authentication as Primary
Device authentication now supported for primary authentication that recognizes user & device Simpler sign-in from devices Enables elimination of exposure of username/password on intranet

32 AD FS: Certificate Proxy Authentication
Enable seamless access to Azure Remote App without having to resign into the VM session Enables hybrid scenarios where cloud service can talk to on-premises services as the user without KCD How does it work? ADFS acts as a registration authority to existing ADCS PKI infrastructure (OR) ADFS can act as it’s own Certificate Authority trusted by AD DS Client makes a call to ADFS via OAuth extension to request for a certificate Confidential clients provide ADFS token for the user and get back a cert

33 Enhance Security with AD Domain Services

34 Time-limited group memberships
4/16/2017 Time-limited group memberships Users can be added to a security group with time-to-live (TTL) When the TTL expires, the user’s membership in that group disappears Kerberos token lifetime will be determined by TTL of the user’s memberships TGT based on shortest group membership ST based on TGT and resource local domain group membership Requires new FFL Scavenger thread takes care of cleaning up group memberships Member: <TTL,user-DN> Group User TGT: Shortest group lifetime ST: Shortest of TGT and resource local domain group © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

35 JIT forest Create new Server 2016 forest
No need to change existing forest Create new ‘PIM’ trust to existing forest Add shadow principals in new forest Shadow group which is new object class created in config NC. Unlike security group, the security identifier (SID) with a domain in another forest Add shadow admin user Remove admins from existing groups PIM system manages TTL groups Workflow to add shadow user to shadow admin group Existing Forest JIT Forest PIM Forest Trust TTL group membership PIM

36 Support for Windows ‘10’ devices
Enable secure login to Windows with Microsoft Passport Passport is strong credential bound to the device, is TPM protected and can be attested Similar to virtual smartcards but without the certificate encoding for the keys New domain controller support to authenticate with secure Microsoft Passport credentials Requires one or more domain controllers in user domains to be Windows Server 2016 (no DFL) Provisioning of Microsoft Passport credentials for on- premises only customers Microsoft Passport provisioning enabled on ADFS servers NOTE: Hybrid customers will use Azure AD for provisioning SSO to applications protected by ADFS Login to Win 10 devices results in priming of Primary Refresh Token (PRT) for SSO to apps protected by ADFS

37 Keeping Time

38 Time Synchronization Current accuracy (100’s of ms) does not meet many modern needs Applications such as video game rendering or stock trading require highly accurate time Improvements Elimination of rounding errors while calculating time More frequent fine tuned adjustments leading to better accuracy More accurate time server estimation Leading to accuracy within 10’s of micro seconds

39 Microsoft Mobility Quest
Liked what you saw? Experience it and win Visit our booth Check out our solutions Complete our missions ….You are entered to win!

40 Ignite Azure Challenge Sweepstakes
4/16/2017 4:55 PM Ignite Azure Challenge Sweepstakes Attend Azure sessions and activities, track your progress online, win raffle tickets for great prizes! Aka.ms/MyAzureChallenge Enter this session code online: “NGFC” (10) - Microsoft Surface Pro 3 Core i5 256GB (30) – Xbox One Master Chief Collection Bundle (55) – Microsoft Band Offers throughout the week NO PURCHASE NECESSARY. Open only to event attendees. Winners must be present to win. Game ends May 9th, For Official Rules, see The Cloud and Enterprise Lounge or myignite.com/challenge © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

41 Related Content BRK3863: Identity and Access Management Everywhere
4/16/2017 4:55 PM Related Content BRK3863: Identity and Access Management Everywhere BRK3851: Real Customer Stories for Azure Active Directory Premium BRK3862: Extending On-Premises Directories to the Cloud Made Easy with Azure AD Connect BRK3864: Enable Your On-Premises Apps for the Cloud with Microsoft Azure AD Application Proxy BRK3865: How Microsoft Azure AD Helps Prevent, Detect and Remediate Attacks to Your Enterprise BRK3867: Microsoft Identity Platform for Developers: Overview and Roadmap BRK3854: How Microsoft IT Manages Identity in a Hybrid Cloud World BRK3332: Microsoft Azure Active Directory and Windows 10: Better Together for Work or School BRK4850: Developing Web and Cross Platform Mobile Apps with Azure Active Directory BRK3873: Protecting Windows and Microsoft Azure AD with Privileged Access Management BRK3857: Upgrading from FIM to Microsoft Identity Manager and Azure Active Directory © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

42 Ignite Azure Challenge Sweepstakes
4/16/2017 4:55 PM Ignite Azure Challenge Sweepstakes Attend Azure sessions and activities, track your progress online, win raffle tickets for great prizes! Aka.ms/MyAzureChallenge Enter this session code online: BRK3871 NO PURCHASE NECESSARY. Open only to event attendees. Winners must be present to win. Game ends May 9th, For Official Rules, see The Cloud and Enterprise Lounge or myignite.com/challenge © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

43 Please evaluate this session
4/16/2017 4:55 PM Please evaluate this session Your feedback is important to us! Visit Myignite at or download and use the Ignite Mobile App with the QR code above. © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

44 4/16/2017 4:55 PM © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Download ppt "Microsoft Ignite /16/2017 4:55 PM"

Similar presentations

Office 365 Identity June 2013 Microsoft Office365 4/2/2017

Office 365 Identity June 2013 Microsoft Office365 4/2/2017
Agenda AD to Windows Azure AD Sync Options Federation Architecture

Agenda AD to Windows Azure AD Sync Options Federation Architecture
Core identity scenarios Federation and synchronization 2 3 Identity management overview 1 Additional features 4.

Core identity scenarios Federation and synchronization 2 3 Identity management overview 1 Additional features 4.
Digital DNA Server Login People ®. Login People ˃ IT security vendor ˃ Patented Digital DNA ® technology innovation Digital DNA Server Multi-factor Authentication.

Digital DNA Server Login People ®. Login People ˃ IT security vendor ˃ Patented Digital DNA ® technology innovation Digital DNA Server Multi-factor Authentication.
Introducing Windows Server 2012 R2 Work Folders:

Introducing Windows Server 2012 R2 Work Folders:
Forefront UAG/TMG Web Application Proxy + AD FS.

Forefront UAG/TMG Web Application Proxy + AD FS.
SharePoint Server Exchange Server CORPORATE NETWORK Mobile devices PCs Browsers INTERNET DMZ Active Directory Policies Filter EAS Filter web access.

SharePoint Server Exchange Server CORPORATE NETWORK Mobile devices PCs Browsers INTERNET DMZ Active Directory Policies Filter EAS Filter web access.
Identity management integration options for Office 365

Identity management integration options for Office 365
Federated sign-in WS-Federation WS-Trust SAML 2.0 Metadata Shibboleth Graph API Synchronize accounts Authentication.

Federated sign-in WS-Federation WS-Trust SAML 2.0 Metadata Shibboleth Graph API Synchronize accounts Authentication.
Active Directory federation user provisioning.

Active Directory federation user provisioning.
w/ Service Provider Foundation & Service Management Automation VMs, Networks, Automation Service Bus Database SQL Sever MySQL Web Sites Services Plans.

w/ Service Provider Foundation & Service Management Automation VMs, Networks, Automation Service Bus Database SQL Sever MySQL Web Sites Services Plans.
Addressing storage challenges with StorSimple Primary Storage Archival Storage Disk-based Backup Remote Replication Tape backup and DR Storage.

Addressing storage challenges with StorSimple Primary Storage Archival Storage Disk-based Backup Remote Replication Tape backup and DR Storage.
Sessions about to start – Get your rig on!. Notes from the field – Implement Hybrid Search and OneDrive for Business Chris Zhong - Microsoft Aaron Dinnage.

Sessions about to start – Get your rig on!. Notes from the field – Implement Hybrid Search and OneDrive for Business Chris Zhong - Microsoft Aaron Dinnage.
IT can provide users with a common identity across on-premises or cloud- based services, leveraging Windows Server Active Directory and Azure Active.

IT can provide users with a common identity across on-premises or cloud- based services, leveraging Windows Server Active Directory and Azure Active.
Active Directory federation user provisioning.

Active Directory federation user provisioning.
Service Components that make up Business Applications… VM Web Sites Active Directory Database Network On-Prem Systems Web Tier 3 rd Party App 1 App.

Service Components that make up Business Applications… VM Web Sites Active Directory Database Network On-Prem Systems Web Tier 3 rd Party App 1 App.
Active Directory Integration with Microsoft Office 365

Active Directory Integration with Microsoft Office 365
Cloud app Cloud app Cloud app Separate username/password sign-in Manual or semi-automated provisioning Active Directory App Separate username/password.

Cloud app Cloud app Cloud app Separate username/password sign-in Manual or semi-automated provisioning Active Directory App Separate username/password.
Active Directory Integration with Microsoft Office 365 Ross Adams & Jono Luk Program Managers Microsoft Corporation OSP321.

Active Directory Integration with Microsoft Office 365 Ross Adams & Jono Luk Program Managers Microsoft Corporation OSP321.
Empower Enterprise Mobility Jasbir Gill Azure Mobility.

Empower Enterprise Mobility Jasbir Gill Azure Mobility.

Similar presentations

Ads by Google