Afun 90

aka.
ms/AFUN90 #MSIgniteTheTour
Azure Identity Fundamentals
aka.ms/AFUN90 #MSIgniteTheTour
Resources
Session Resources Hub

aka.ms/AFUN90
Session Code on GitHub

aka.ms/AFUN90Repo
All Event Session Resources

aka.ms/mymsignitethetour
Security used to be
so much easier
users devices apps data
Windows Server
Active Directory
On-premises/
private cloud
Authentication Authorization
Something you know

Apps & resources
Something you have

Data
Something you are

Access level
Identity & Access Goals
Simplify access to Safeguard their Protect at

devices and apps credentials access attempt
Use a single identity for on-premises and cloud resources

Enable customers to use their own credentials to access
online resources
Allow self-service password reset

Stop employees from using known compromised passwords
Analyze sign-on risk & protect appropriately

Respond automatically to suspicious sign-on activity
How does Tailwind Traders customize
Azure Active Directory and
configure administrative permissions?
Demo: Configuring
Azure Active Directory and
an administrator account
Azure Active Directory
Azure Active Directory AAD Tenant Custom Domains

Microsoft’s Cloud-Based A dedicated and trusted instance Initial Domain will be
Identity and Access of Azure AD that represents a x.onmicrosoft.com
Management Service single organization • Cannot be changed
or modified
• Can add and verify
custom domain
Some Critical Azure AD Administrative Roles
Role Function
Global Administrator • Have access to all administrative features of Azure
Active Directory
• Different from “classic” Service Administrator role
Billing Administrator • Make purchases
• Manage subscriptions
• Manage support tickets
• Monitor service health
Application Administrator • Create and manage all aspects of enterprise
applications
Authentication Administrator • Can set or reset non-password credentials
• Can update passwords for all users
Helpdesk Administrator • Change passwords
• Invalidate refresh tokens
aka.ms/AFUN90 • Manage service requests and monitor service #MSIgniteTheTour
health
Microsoft’s Identity Services
Active
Directory
Domain
Domain Controllers
Azure Active Directory
No domain controllers
No replication to manage
between Cloud regions
No OUs – flat structure

Azure AD DS allows sign on to Linux and
Windows VMs with Azure AD credentials
Office 365 and
Microsoft 365
How does Tailwind Traders synchronize on-
premises and cloud identities?
Demo: Configuring Azure
AD Connect
Active Azure Active

Directory Directory
Domain Identity-as-a-
Domain Controllers Service
Azure AD Connect
Sync Seamless
engine authentication
Single
sign-on MFA
Self
Azure AD Service
Windows Server Connect
Active Directory
Microsoft Azure
Active Directory
On-premises
/ Private cloud
Password Hash Sync
ON PREMISES
Azure AD
Azure AD Connect
Active
Directory
Great user experience Secure and compliant Easy to deploy & administer
Same passwords for cloud-based Only non-reversible hashes are No on-premises agent needed
and on-premises apps stored in the cloud
Leaked credential report available
Disaster recovery option incase Small on-premises footprint
other authN methods are Integrated with Smart Lockout,
unavailable Identity Protection and Conditional
Access
Pass thru Authentication
ON PREMISES
Azure AD
AuthN Agent
Active
AuthN agent Directory
Great user experience Secure and compliant Easy to deploy & administer
Same passwords for cloud-based Passwords remain on-premises Agent-based deployment

and on-premises apps
Integrated with Self-Service No DMZ and no inbound firewall High availability out-of-the-box
Password Reset requirements
Integrated with Smart Lockout, No complex on-premises
Identity Protection and Conditional deployments or network config
Access
aka.ms/AFUN90 Zero management#MSIgniteTheTour
overhead
Seamless Single Sign On
ON PREMISES
Azure AD
Active
Directory
Easy to integrate Easy to administer Great user experience
Works with Password Hash Sync No additional on-premise SSO experience from domain-
and Pass-through Authentication infrastructure joined devices within your corpnet
Supports Alternate Login ID Register non-Windows 10 devices

without AD FS
How does Tailwind Traders
give external users access
to their Azure resources?
Demo: Configuring
Azure AD Guest Access
Active Azure Active Microsoft

Directory Directory Account
Domain Identity as a Service Consumer

Domain Controllers
Azure AD B2B and Azure AD B2C
Azure AD B2B Azure AD B2C
• Allows organization to share files • Suitable for customer-facing apps.
and resources with external users
for direct collaboration
• Azure AD handles the federation • Allows customers to sign in with
between your organization and their own established identity
the external organization (Gmail / Facebook)
How can Tailwind Traders allow users to
reset their own passwords?
Demo: Configuring
Self-Service Password Reset
Empower user self-service to save time and money
username
????????
Resolving user password issues

is one of the largest IT costs
Enable resets from an intuitive web

interface or directly from the
Windows login screen
Detecting threats to accounts as they occur
Continuous detection
Apply artificial intelligence and
Connected intelligence human expertise to derive accurate Actionable insights
Observe trillions of insights Send alerts, self-mitigate,
signals and risk events and automatically
from cloud systems remediate threats
How can Tailwind Traders require
a user to take extra steps to identify
themselves when performing a risky sign-in?
Demo: Configuring
Conditional Access
Azure AD Conditional Access
Azure AD
ADFS
MSA
Conditions Controls
Google ID
40TB
Employee & Partner
Users and Roles Allow/block Microsoft Cloud
Android Session access
Risk
iOS Machine
Trusted & learning 3 Microsoft
MacOS Limited
Compliant Devices Cloud App Security
access
Windows
Windows
Defender ATP Require
Real time MFA
Evaluation
Engine Cloud SaaS apps
Force
Geo-location Physical & password
Virtual Location reset
******
Corporate
Network Policies Effective
policy Block legacy
Client apps & authentication
Auth Method
Browser apps
Client apps On-premises & web apps

Keeping the bad people out
Smart Lockout
and the good people in
Smart Lockout in action
User
Normally logs in from Redmond, WA
Redmond = Familiar location
Data Center
User
Familiar Location
Counter
Unfamiliar Location
Redmond, WA
Counter
Data Center
User
Familiar Location
Counter
Unfamiliar Location
Logs in from Redmond, WA Counter
with the correct password
0
Counter remains unchanged
Data Center
User
Familiar Location
Counter
Unfamiliar Location
with an incorrect password
0
Familiar location’s counter
increases
Data Center
User
Familiar Location
Counter
Unfamiliar Location
with an incorrect password
again 0
increases
Data Center
User
Familiar Location
Counter
Unfamiliar Location
a third time with correct
password 0
resets
Data Center
User Bad Actor
Familiar Location
Counter
Unfamiliar Location
Redmond, WA Bad actor located in Tasmania
Counter
0 Tasmania = unfamiliar location
Data Center
User Bad Actor
Familiar Location
Counter
Unfamiliar Location
Redmond, WA
Counter Logs in from Tasmania with
incorrect password
1
Unfamiliar location
counter increases
Data Center
User Bad Actor
Familiar Location
Counter
Unfamiliar Location
Redmond, WA
incorrect password again
2
Unfamiliar location
counter increases
Data Center
T !
User Bad Actor
D OU
Familiar Location
K E
Counter
O C
r L
0 a c to
Ba d
Unfamiliar Location
Redmond, WA
incorrect password again
10
Unfamiliar location
counter increases
Data Center
T !
User
u t Bad Actor
D OU
d o E
CK
Familiar Location
c ke O
t lo Counter
r L
no 0 c t o
se r d a
U Ba
Unfamiliar Location
with the correct password
10
User hit familiar location
counter, not unfamiliar location
counter
Password Challenges
Usage of common passwords
Password spray attacks on the rise
Active Directory can’t natively ban common passwords
How can Tailwind Traders ensure their users
don’t use banned or common passwords?
Demo: Azure AD Password
Protection
Azure AD Password Protection
Cloud intelligence to ensure strong passwords
Smart Lockout to thwart bad actors

trying to guess passwords.
Dynamic banning of passwords based on

known bad patterns and those you define.
Built for hybrid environments.
Unified admin experience for

on-premises and cloud.
Hybrid Azure AD Password Protection
 Integrates with on-premises Active

Directory
 Domain Controllers communicate with

Azure AD through Azure AD Password
Protection Proxy Service
Nobody likes passwords
Passwords are expensive and insecure
Password reuse Passwords

Passwords are Data breaches
across multiple generate tons of
the weak link are expensive
accounts support calls
73% 81% $3.86 #1 cost

of breaches million, the for IT departments is
of passwords are
leveraged average total cost forgotten passwords
duplicates
passwords of a data breach
Microsoft’s password-replacement offerings
Standards-based private key authentication - aka.ms/gopasswordless
Windows Hello for Business Microsoft Authenticator Microsoft compatible

aka.ms/AFUN90 security keys (FIDO2)
#MSIgniteTheTour
Use a single identity for on-premises and cloud resources

Enable customers to use their own credentials to access
online resources
Allow self-service password reset

Stop employees from using known compromised passwords
Analyze sign-on risk & protect appropriately

Respond automatically to suspicious sign-on activity
Want to learn more?
Presenters
/Upcoming Session alert Please customize and use as
desired for you locale and related
sessions
INSERT RELATED SESSION NAME

TIME Room/Location
INSERT RELATED SESSION NAME

TIME Room/Location
APPS40: Managing Delivery of Your App via DevOps

3:15 p.m. Room 305
/MS Learn alert
Complete interactive learning
exercises, watch videos, and
practice and apply your new
skills.
aka.ms/AFUN90MSLearnCollection
/Microsoft Certification alert
• Microsoft Certified:
Azure Fundamentals
aka.ms/AzureFunCert
• Microsoft Certified:
Azure Administrator Associate
aka.ms/AzureAdminCert Get hired, stay ahead, and receive the
recognition you deserve
Exclusive offer for Microsoft Ignite The Tour attendees Now is your chance
Free Certification Exam to stand out among your peers.
on fundamentals, role-based, or specialty certifications*
Get certified and prove your expertise to
employers and peers and get the recognition and
opportunities you've earned. Take advantage
of this offer by scheduling a free exam online
today.
Learn more about Microsoft Certifications

Microsoft.com/Certifications
Begin with free online training

aka.ms/FreeExam_MSIgnite Microsoft.com/Learn
Limited to one (1) per attendee. Subject to terms and conditions.
Please see website for details.
*Free exams include only those with the following prefixes:
Find a Learning Partner to help you prepare
AI, AZ, DP, MB, MD, MS, and PL aka.ms/LearningPartner
Resources
Session Resources Get Certified

aka.ms/AFUN90
Session Code on GitHub You’re

• Microsoft on Azure
Certified: yourFundamentals
way
aka.ms/AFUN90Repo
to being certified!
aka.ms/AzureFunCert
• Microsoft Certified: Azure Administrator Associat

aka.ms/app10certification
aka.ms/AzureAdminCert
All Event Resources
aka.ms/mymsignitethetour
Invent with purpose.

Afun 90

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Afun 90

Uploaded by

Copyright:

Available Formats

aka.

Session Resources Hub

Session Code on GitHub

All Event Session Resources

Something you know

Something you have

Something you are

Simplify access to Safeguard their Protect at

Use a single identity for on-premises and cloud resources

Allow self-service password reset

Analyze sign-on risk & protect appropriately

Azure Active Directory AAD Tenant Custom Domains

No OUs – flat structure

Active Azure Active

Same passwords for cloud-based Passwords remain on-premises Agent-based deployment

Easy to integrate Easy to administer Great user experience

Supports Alternate Login ID Register non-Windows 10 devices

Active Azure Active Microsoft

Domain Identity as a Service Consumer

Resolving user password issues

Enable resets from an intuitive web

Client apps On-premises & web apps

Normally logs in from Redmond, WA

Redmond = Familiar location

0 Tasmania = unfamiliar location

Usage of common passwords

Password spray attacks on the rise

Active Directory can’t natively ban common passwords

Smart Lockout to thwart bad actors

Dynamic banning of passwords based on

Built for hybrid environments.

Unified admin experience for

 Integrates with on-premises Active

 Domain Controllers communicate with

Password reuse Passwords

73% 81% $3.86 #1 cost

Standards-based private key authentication - aka.ms/gopasswordless

Windows Hello for Business Microsoft Authenticator Microsoft compatible

Use a single identity for on-premises and cloud resources

Allow self-service password reset

Analyze sign-on risk & protect appropriately

INSERT RELATED SESSION NAME

INSERT RELATED SESSION NAME

APPS40: Managing Delivery of Your App via DevOps

Learn more about Microsoft Certifications

Begin with free online training

Session Resources Get Certified

Session Code on GitHub You’re

• Microsoft Certified: Azure Administrator Associat

You might also like