Transcription
Crash coursein Azure ActiveDirectory
February2018Crash course in Azure Active DirectoryCrash course in AzureActive DirectoryCompeting today requires a focus on digital transformationand empowering everyone to be creative and work togethersecurely. To create a modern workplace, you must provideseamless access to the tools and data people need, whereverthey are, on whichever device they choose. To help keep yourmodern workplace secure, you need to protect your dataeffectively as it traverses many applications and locations.A modern approach to identity and access management(IAM) can help you enable this transformation for a modernworkplace. At its core is the adoption of Azure Active Directory(Azure AD) to establish one, unified identity, and providean easy way to centralise authentication for many types ofapplications and services. By adopting Azure AD, you canprovide effortless user experiences, unlock IT efficiencies andenhance security and compliance.Once you’ve established one unified identity, your users canfocus on innovation and work effectively on teams of all sizes.At the same time, Azure AD integrates once-disparate identitymanagement tasks for IT simplicity and supports intelligentsecurity. In this e-book, we’ll take you on a quick tour of whatyou can accomplish with Azure AD and how to use it to its fullpotential.2
February2018Crash course in Azure Active DirectoryWhat is Azure AD?Azure AD is Microsoft’s cloud-based directory and identitymanagement service. It combines core directory services,advanced identity protection and application accessmanagement. Azure AD delivers single sign-on (SSO) accessto on-premises and cloud applications, helping users tostay productive. By using Azure AD, developers can quicklyintegrate IAM into their applications.As it is hosted as a fully managed cloud service, Azure AD isthe ideal service for combining user accounts into a single,unified, highly secure identity. It employs the same ActiveDirectory technology used by thousands of businessesaround the world, supporting seamless synchronisation fromon-premises identity servers – yet with the accessibility andcross-platform capabilities of the cloud.The solution provides a full range of modern IAMcapabilities, including conditional access with multi-factorauthentication (MFA) and password-free login options,single sign-on, self-service password management, rolebased access control and intelligent security monitoringand alerting capabilities.It includes solutions for authenticating users for software-asa-service (SaaS), on-premises, web and mobile applicationsusing a unified identity. That identity also simplifies theprocess of monitoring and controlling application access,because all authentications flow through a single system. Tomaximise the value of Azure AD, the one-identity-per-usermodel should be prioritised.3
February201801.Improve the user experienceCrash course in Azure Active DirectorySave time and improve productivity with singlesign-onWorkers use a variety of applications throughout the day.Managing passwords and logging in over and over againslows people down. Azure AD single sign-on (SSO) extendson-premises AD to the cloud, so people can use theirprimary corporate identity to sign in to domain-joineddevices, company resources, and web and software-as-aservice (SaaS) applications.This frees users from the burden of managing multiplelogins and enables organisations to provide or revokeaccess based on employee role. Azure AD managesthe user lifecycle dynamically, integrating with HumanResources controls to provide automatic access to the appsusers need based on team and role. As users join, move andleave, access adapts based on preset policies.Using Azure AD SSO, you can manage user access to SaaSapplications directly from the Azure Portal, and evendelegate application access decision making and approvalsto anyone in the organisation for greater productivity. Builtin monitoring and reporting of user activity will help yourorganisation identify and mitigate unauthorised access.4
February2018Use password-free login for security and easeKeeping track of passwords can be a major headache forusers, leading them to write credentials down in nonencrypted formats – and opening the door to securitybreaches. Azure AD provides password-free login optionsthat make authenticating easier for users and more securefor businesses.For example, by using the Microsoft Authenticator app,employees can sign in by getting a notification on theirphone. On a domain-joined Windows 10 device, whereIT has integrated a device with Azure AD, Windows Hellocan unlock both the device and apps by recognising a PIN,smart card or biometrics such as a fingerprint or face.Crash course in Azure Active DirectorySimplify password management with Azure ADself-service password resetYour IT department should be able to prioritise strategicand mission critical work, rather than spending timeresetting passwords. With Azure AD self-service passwordreset (SSPR), you can enable users to change theirpasswords and unlock their accounts without callingthe helpdesk. It is a full-featured solution, enablingauthentication by text message, phone call, email orsecurity questions.Give users a consistent experience by addingyour corporate brandingApply your company’s look and feel to your Azure AD signin page, which appears when users sign in to applicationsthat use Azure AD as an identity provider. This option canbe configured in the Azure AD admin centre.5
February2018Crash course in Azure Active Directory02.Connect your on-premisesand cloud applications inone ecosystemIntegrate on-premises directories with AzureAD ConnectIf you use Active Directory on premises, you can easilybenefit from Azure AD by synchronising the two usingAzure AD Connect. By providing a single, common identityto access both cloud and on-premises resources, you canimprove the user experience, support productivity andenable advanced security capabilities. Azure AD Connectcan work with Active Directory Federation Services (AD FS)to address complex deployment scenarios such as domainjoined SSO.Azure AD Connect also includes Azure AD Connect Healthto help you monitor and report on your hybrid directoryenvironment. This helps you ensure that users can reliablyaccess all the resources they need using a simple Azure ADConnect Health agent.6
February2018Crash course in Azure Active DirectoryEnable easy remote access using AD ApplicationProxyWhen you empower your employees to work on theirown devices with access to on-premises applications fromanywhere, you can significantly improve productivity. Sometraditional access methods for remote workers – such asvirtual private networks (VPNs) and demilitarised zones(DMZs) – can be complex and challenging to secure andmanage.Azure AD Application Proxy enables SSO and secure remoteaccess for on-premises web applications such as SharePointsites, Outlook Web Access on Exchange Server or other lineof-business applications. Users can access on-premises andcloud applications using one identity, and there’s no need tochange network infrastructure or employ VPN.Engage more effectively with Azure B2BcollaborationEmployees aren’t the only people who need secure access toyour application ecosystem. You may also need to connectwith vendors, partners, subsidiaries or other external entities.Using Azure AD B2B collaboration, you can give guest userssingle sign-on access to applications of your choice, withpowerful authentication policies managed by Azure AD.7
February2018Crash course in Azure Active Directory03.Secure identities moreeffectively / Improve security with Azure AD ConditionalAccess and MFAIn a world of growing cyber threats, passwords aren’tenough to protect sensitive information, but you don’twant to compromise productivity either. Azure ADConditional Access simplifies multi-factor authentication sothat it is only required when conditions represent risk.Conditional Access provides a risk score based on multiplecriteria about the user, device, and location that is beingused to sign on to determine if MFA, password reset, orlimited functionality in the app is appropriate. Azure MFAenables you to add device-based or biometric securitywhile giving users a streamlined sign-in process. You canuse phone calls, text messages or app-based verification asthe secondary authentication method.8
February2018Crash course in Azure Active DirectoryDetect and mitigate breaches with Azure ADIdentity ProtectionDelegate application controls safely usingAzure AD Privileged Identity ManagementIf an attacker steals a user’s identity, even one with minimalprivileges, they may still be able to gain access to criticalsystems and data. Azure AD Identity Protection helps youdetect identity vulnerabilities, investigate and mitigatesuspicious access, and configure automated responsesto potential identity breaches. With Azure AD IdentityProtection, you can protect all identities regardless oftheir privilege level and proactively prevent compromisedidentities from being abused.Users may need privileged access to administrativecontrols for a variety of reasons. However, dormant orrarely used account privileges can linger unseen andenable access beyond what individuals need – whichcreates a security risk. Azure AD Privileged IdentityManagement (Azure AD PIM) enables you to providegranular access privileges to Azure AD resources and otherMicrosoft Online services on a temporary, as-needed oron-request basis, as well as manage, control and monitorthose privileges to prevent problems.The solution uses adaptive machine learning algorithmsand heuristics to detect anomalies and suspicious incidentsthat indicate potentially compromised identities. Usingthis data, Identity Protection generates reports and alertsthat enable you to evaluate the detected issues and takeappropriate mitigation or remediation actions. You canalso configure automated responses to potential identitybreaches, including automatic blocking or remediationactions such as password resets and multi-factorauthentication enforcement.9
February2018Crash course in Azure Active DirectoryFree trial for Azure AD:Discover the benefits ofcloud-based identityThe best way to experience the power ofAzure AD is to try it yourself.Start your free trial now. 2018 Microsoft Corporation. All rights reserved. Microsoft Windows, WindowsVista and other product names are or may be registered trademarks in the USand/or other countries. The information herein is for informational purposes onlyand represents the current view of Microsoft Corporation as of the date of thisdocument. As Microsoft must respond to changing market conditions, it shouldnot be interpreted to be a commitment on the part of Microsoft, and Microsoftcannot guarantee the accuracy of any information provided after the date of thisdocument.10
Crash course in Azure Active Directory 3 Azure AD is Microsoft's cloud-based directory and identity management service. It combines core directory services, advanced identity protection and application access management. Azure AD delivers single sign-on (SSO) access to on-premises and cloud applications, helping users to stay productive.
