Professional Documents
Culture Documents
Afun 90
Afun 90
ms/AFUN90 #MSIgniteTheTour
Azure Identity Fundamentals
aka.ms/AFUN90 #MSIgniteTheTour
Resources
aka.ms/AFUN90 #MSIgniteTheTour
Security used to be
so much easier
users devices apps data
Windows Server
Active Directory
aka.ms/AFUN90 #MSIgniteTheTour
On-premises/
private cloud
aka.ms/AFUN90 #MSIgniteTheTour
Authentication Authorization
aka.ms/AFUN90 #MSIgniteTheTour
Identity & Access Goals
aka.ms/AFUN90 #MSIgniteTheTour
Identity & Access Goals
aka.ms/AFUN90 #MSIgniteTheTour
How does Tailwind Traders customize
Azure Active Directory and
configure administrative permissions?
aka.ms/AFUN90 #MSIgniteTheTour
Demo: Configuring
Azure Active Directory and
an administrator account
aka.ms/AFUN90 #MSIgniteTheTour
Azure Active Directory
aka.ms/AFUN90 #MSIgniteTheTour
Some Critical Azure AD Administrative Roles
Role Function
Global Administrator • Have access to all administrative features of Azure
Active Directory
• Different from “classic” Service Administrator role
Billing Administrator • Make purchases
• Manage subscriptions
• Manage support tickets
• Monitor service health
Application Administrator • Create and manage all aspects of enterprise
applications
Authentication Administrator • Can set or reset non-password credentials
• Can update passwords for all users
Helpdesk Administrator • Change passwords
• Invalidate refresh tokens
aka.ms/AFUN90 • Manage service requests and monitor service #MSIgniteTheTour
health
Microsoft’s Identity Services
Active
Directory
Domain
Domain Controllers
aka.ms/AFUN90 #MSIgniteTheTour
Azure Active Directory
No domain controllers
No replication to manage
between Cloud regions
aka.ms/AFUN90 #MSIgniteTheTour
Office 365 and
Microsoft 365
aka.ms/AFUN90 #MSIgniteTheTour
How does Tailwind Traders synchronize on-
premises and cloud identities?
aka.ms/AFUN90 #MSIgniteTheTour
Demo: Configuring Azure
AD Connect
aka.ms/AFUN90 #MSIgniteTheTour
Microsoft’s Identity Services
Domain Identity-as-a-
Domain Controllers Service
aka.ms/AFUN90 #MSIgniteTheTour
Azure AD Connect
Sync Seamless
engine authentication
Single
sign-on MFA
Self
Azure AD Service
Windows Server Connect
Active Directory
Microsoft Azure
Active Directory
On-premises
/ Private cloud
aka.ms/AFUN90 #MSIgniteTheTour
Password Hash Sync
ON PREMISES
Azure AD
Azure AD Connect
Active
Directory
Great user experience Secure and compliant Easy to deploy & administer
Same passwords for cloud-based Only non-reversible hashes are No on-premises agent needed
and on-premises apps stored in the cloud
Leaked credential report available
Disaster recovery option incase Small on-premises footprint
other authN methods are Integrated with Smart Lockout,
unavailable Identity Protection and Conditional
Access
aka.ms/AFUN90 #MSIgniteTheTour
Pass thru Authentication
ON PREMISES
Azure AD
AuthN Agent
Active
AuthN agent Directory
Great user experience Secure and compliant Easy to deploy & administer
ON PREMISES
Azure AD
Active
Directory
Works with Password Hash Sync No additional on-premise SSO experience from domain-
and Pass-through Authentication infrastructure joined devices within your corpnet
aka.ms/AFUN90 #MSIgniteTheTour
How does Tailwind Traders
give external users access
to their Azure resources?
aka.ms/AFUN90 #MSIgniteTheTour
Demo: Configuring
Azure AD Guest Access
aka.ms/AFUN90 #MSIgniteTheTour
Microsoft’s Identity Services
aka.ms/AFUN90 #MSIgniteTheTour
Azure AD B2B and Azure AD B2C
Azure AD B2B Azure AD B2C
• Allows organization to share files • Suitable for customer-facing apps.
and resources with external users
for direct collaboration
• Azure AD handles the federation • Allows customers to sign in with
between your organization and their own established identity
the external organization (Gmail / Facebook)
aka.ms/AFUN90 #MSIgniteTheTour
How can Tailwind Traders allow users to
reset their own passwords?
aka.ms/AFUN90 #MSIgniteTheTour
Demo: Configuring
Self-Service Password Reset
aka.ms/AFUN90 #MSIgniteTheTour
Empower user self-service to save time and money
username
????????
aka.ms/AFUN90 #MSIgniteTheTour
Detecting threats to accounts as they occur
Continuous detection
Apply artificial intelligence and
Connected intelligence human expertise to derive accurate Actionable insights
Observe trillions of insights Send alerts, self-mitigate,
signals and risk events and automatically
from cloud systems remediate threats
aka.ms/AFUN90 #MSIgniteTheTour
How can Tailwind Traders require
a user to take extra steps to identify
themselves when performing a risky sign-in?
aka.ms/AFUN90 #MSIgniteTheTour
Demo: Configuring
Conditional Access
aka.ms/AFUN90 #MSIgniteTheTour
Azure AD Conditional Access
Azure AD
ADFS
MSA
Conditions Controls
Google ID
40TB
Employee & Partner
Users and Roles Allow/block Microsoft Cloud
Android Session access
Risk
iOS Machine
Trusted & learning 3 Microsoft
MacOS Limited
Compliant Devices Cloud App Security
access
Windows
Windows
Defender ATP Require
Real time MFA
Evaluation
Engine Cloud SaaS apps
Force
Geo-location Physical & password
Virtual Location reset
******
Corporate
Network Policies Effective
policy Block legacy
Client apps & authentication
Auth Method
Browser apps
aka.ms/AFUN90 #MSIgniteTheTour
Smart Lockout in action
User
aka.ms/AFUN90 #MSIgniteTheTour
Smart Lockout in action
Data Center
User
Familiar Location
Counter
Unfamiliar Location
Redmond, WA
Counter
aka.ms/AFUN90 #MSIgniteTheTour
Smart Lockout in action
Data Center
User
Familiar Location
Counter
Unfamiliar Location
Logs in from Redmond, WA Counter
with the correct password
0
Counter remains unchanged
aka.ms/AFUN90 #MSIgniteTheTour
Smart Lockout in action
Data Center
User
Familiar Location
Counter
Unfamiliar Location
Logs in from Redmond, WA Counter
with an incorrect password
0
Familiar location’s counter
increases
aka.ms/AFUN90 #MSIgniteTheTour
Smart Lockout in action
Data Center
User
Familiar Location
Counter
Unfamiliar Location
Logs in from Redmond, WA Counter
with an incorrect password
again 0
Familiar location’s counter
increases
aka.ms/AFUN90 #MSIgniteTheTour
Smart Lockout in action
Data Center
User
Familiar Location
Counter
Unfamiliar Location
Logs in from Redmond, WA Counter
a third time with correct
password 0
Familiar location’s counter
resets
aka.ms/AFUN90 #MSIgniteTheTour
Smart Lockout in action
Data Center
User Bad Actor
Familiar Location
Counter
Unfamiliar Location
Redmond, WA Bad actor located in Tasmania
Counter
aka.ms/AFUN90 #MSIgniteTheTour
Smart Lockout in action
Data Center
User Bad Actor
Familiar Location
Counter
Unfamiliar Location
Redmond, WA
Counter Logs in from Tasmania with
incorrect password
1
Unfamiliar location
counter increases
aka.ms/AFUN90 #MSIgniteTheTour
Smart Lockout in action
Data Center
User Bad Actor
Familiar Location
Counter
Unfamiliar Location
Redmond, WA
Counter Logs in from Tasmania with
incorrect password again
2
Unfamiliar location
counter increases
aka.ms/AFUN90 #MSIgniteTheTour
Smart Lockout in action
Data Center
T !
User Bad Actor
D OU
Familiar Location
K E
Counter
O C
r L
0 a c to
Ba d
Unfamiliar Location
Redmond, WA
Counter Logs in from Tasmania with
incorrect password again
10
Unfamiliar location
counter increases
aka.ms/AFUN90 #MSIgniteTheTour
Smart Lockout in action
Data Center
T !
User
u t Bad Actor
D OU
d o E
CK
Familiar Location
c ke O
t lo Counter
r L
no 0 c t o
se r d a
U Ba
Unfamiliar Location
Logs in from Redmond, WA Counter
with the correct password
10
User hit familiar location
counter, not unfamiliar location
counter
aka.ms/AFUN90 #MSIgniteTheTour
Password Challenges
aka.ms/AFUN90 #MSIgniteTheTour
How can Tailwind Traders ensure their users
don’t use banned or common passwords?
aka.ms/AFUN90 #MSIgniteTheTour
Demo: Azure AD Password
Protection
aka.ms/AFUN90 #MSIgniteTheTour
Azure AD Password Protection
Cloud intelligence to ensure strong passwords
aka.ms/AFUN90 #MSIgniteTheTour
Hybrid Azure AD Password Protection
aka.ms/AFUN90 #MSIgniteTheTour
Nobody likes passwords
aka.ms/AFUN90 #MSIgniteTheTour
Passwords are expensive and insecure
aka.ms/AFUN90 #MSIgniteTheTour
Microsoft’s password-replacement offerings
aka.ms/AFUN90 #MSIgniteTheTour
Want to learn more?
aka.ms/AFUN90 #MSIgniteTheTour
Presenters
/Upcoming Session alert Please customize and use as
desired for you locale and related
sessions
aka.ms/AFUN90 #MSIgniteTheTour
/MS Learn alert
Complete interactive learning
exercises, watch videos, and
practice and apply your new
skills.
aka.ms/AFUN90MSLearnCollection
aka.ms/AFUN90 #MSIgniteTheTour
/Microsoft Certification alert
• Microsoft Certified:
Azure Fundamentals
aka.ms/AzureFunCert
• Microsoft Certified:
Azure Administrator Associate
aka.ms/AzureAdminCert Get hired, stay ahead, and receive the
recognition you deserve
aka.ms/AFUN90 #MSIgniteTheTour
Exclusive offer for Microsoft Ignite The Tour attendees Now is your chance
Free Certification Exam to stand out among your peers.
on fundamentals, role-based, or specialty certifications*
Get certified and prove your expertise to
employers and peers and get the recognition and
opportunities you've earned. Take advantage
of this offer by scheduling a free exam online
today.
aka.ms/AFUN90 #MSIgniteTheTour
Resources
aka.ms/AFUN90 #MSIgniteTheTour
Invent with purpose.