Project Manager - Hilal Bhat (UIID22)

Azure AD Tenant and MIM integration Project

# Enabling Cloud Service#

KNOWLEDGE SHARING

CONFIDENTIAL CONFIDENTIAL
Agenda
• Cloud Strategy Statement
• Public Cloud Service Model
• Cloud Service Providers
• Project deliverables
• Solution overview: Azure AD and Azure AD Connect
• Azure AD Architecture
• How to raise a request in MIM in practice?

2
 IDD Cloud Strategy Statement
PDO will benefit from adopting Cloud services to drive business agility and to enable a mobile
workforce, while ensuring that the appropriate security controls and data sovereignty
safeguards are in place.

© 2016 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. Other products mentioned that are not
trademarks include Microsoft Identity Manager and Windows PowerShell. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because
Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this
presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION. Microsoft, Windows are either registered trademarks or trademarks of Microsoft Corporation
in the United States and/or other countries.
 What is Cloud?

© 2016 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. Other products mentioned that are not
trademarks include Microsoft Identity Manager and Windows PowerShell. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because
Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this
presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION. Microsoft, Windows are either registered trademarks or trademarks of Microsoft Corporation
in the United States and/or other countries.
TOP Cloud Service Providers
PDO’ strategy is to
utilize Microsoft
Identify Cloud
Services.
 Public Cloud Services
SaaS
SaaS is the often the top-most layer in an organization's cloud strategy. It
refers to software that is hosted on someone's else's infrastructure, but
delivered to a client organization's end users as a service, often accessed
through a specific web portal.

PaaS
PaaS is the next layer down the cloud stack, offering platforms upon which
apps and services can be built. Very few, if any, business people will interact
with a PaaS,

IaaS
The bottom-most foundational layer of cloud computing is IaaS, which
offers the storage, networking, and compute resources needed to run a Service Oriented Modelling framework

business.
IaaS is what most people think of when they hear the term 'cloud
computing'. It's also the layer at which conversation around public versus
private cloud carries the most weight.
Public Cloud Service Models
8

PDO
Contractors
SHELL
9
ADFS – Active Directory Federated Services
What is Azure AD?
Azure AD is a Microsoft’s cloud-based directory and identity management
service that combines:
 Core directory services
 Application access management
 Identity protection into a single solution.
On-premises

MFA
What is Azure AD Connect?
 Azure AD Connect integrates on-premises directories with Azure Active Directory. This allows PDO to provide a common
identity for our users for Office 365, Azure, and SaaS applications integrated with Azure AD.
 Synchronizing users to Azure AD.
 Synchronized users are not automatically granted any license. Admins still have total control on the license assignment.
Azure AD Project Deliverables
Current Working Solution (in PDO)
 Security groups were configured with Azure AD group-based
licensing for the following services:
 Office 365
 Self-Service Password Management
 OneDrive for Business
 SharePoint Online
 Skype for Business
 Yammer
 Azure RMS

13
Azure AD Architecture

 PDO has chosen to implement password pass-through as a part of our sign-on option.
© 2016 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. Other products mentioned that are not
trademarks include Microsoft Identity Manager and Windows PowerShell. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because
 Passwords are not synchronized. Instead, AAD Connect is performing the authentication on behalf of Azure
Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this
presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION. Microsoft, Windows are either registered trademarks or trademarks of Microsoft Corporation
directly communicating with Domain Controllers. in the United States and/or other countries.
 Secondary Authentication agent is running in a standby in case the Main server is not functioning properly.
 Failover/Fallback activities happen automatically and do not require any intervention.
 Key features
• Allow users to change or reset a forgotten or expired password without calling
help desk

• Must be coupled with password write-back

 Uses the existing AAD Connect server
 Does not require any inbound firewall rules
 Enforces on-premises Active Directory password policies
 Supports multiple forests with Azure AD Connect
 Works with federation, password hash sync, and pass-through auth
 Introduction

What is multi-factor authentication?

Any two or more of the following factors:
• Something you know: a password or PIN
• Something you have: a phone, credit card or hardware token
• Something you are: a fingerprint, retinal scan or other biometric
Examples:

4
3
2
1
0

Hardware Certificates Smartcard Phone

token

PDO decided to use Text Code send on the registered Mobile devices as MFA
How shall users request Cloud
Service in PDO using MIM…
User Lifecycle
Management Services
1. Go to MIM Portal
2. Go to „My Service Requests” ->
Click New
3. Pick the requested service(in this
case it’s Yammer)
4. Fill in Business Justification
5. Set the expiry date
6. Click Next
User Lifecycle Management Services
7. Check if all the information is
correct
8. Click „Submit”
User Lifecycle Management Services
9. The following window will pop-
up summarizing the request
and showing the status
10. The request will undergo two
level approval process (direct
line manager and service
owner)

Note: After raising the request in MIM it

will take max. 5h for the user to receive
the license.
LICENSING

22
Microsoft Azure Portal The main Azure Services portal

AZURE RESOURCE
Microsoft Azure EA Portal The main Azure management portal for Enterprise Customers
Do More with Azure - Start Basic Onboarding Knowledge Content for Azure
Azure Tour Microsoft Datacenter Virtual Tour
Azure services Browse our growing directory of integrated Azure services, features, and bundled suites
Azure services by region View products available by region
Azure Solutions We’ve grouped Azure services, third-party applications, and related products together to help meet the most common business needs and scenarios
Azure Solutions Architecture Architectures to help you design and implement secure, highly-available, performant and resilient solutions on Azure
Azure Pricing Calculator Configure and estimate the costs for Azure products
Azure Pricing – how to save money Microsoft Azure allows you to quickly deploy infrastructure and services to meet all of your business needs. You can run Windows and Linux based applications in
  36 Azure datacenter regions, delivered with enterprise grade SLAs. See how you can save in this link
Azure TCO Tool Use the Azure TCO Calculator to estimate the cost savings you can realize by migrating your application workloads to Microsoft Azure
Azure privacy, transparency, compliance a All information regarding how Azure handles security, data privacy, data protection, data sovereignty and related subjects such as Azure attestations and certification
nd security Azure Privacy
Azure Trust Center Azure Transparency
Azure Security
Azure Compliance
Azure standard response for request for in This document provides our customers with a detailed assessment of how Azure core services fulfill the security, privacy, compliance, and risk management requirements as
formation defined in the Cloud Security Alliance (CSA) Cloud Control Matrix (CCM) version 3.0.1.
Azure Trust Documents Information about how Microsoft cloud services protect your data, and how you can manage cloud data security and compliance for your organization
Azure public roadmap product roadmap is the place to find out what’s new and what’s coming next
Azure SLAs The Service Level Agreement (SLA) describes Microsoft’s commitments for uptime and connectivity.
Azure Whitepapers library Quick reads on key cloud topics such as cloud security, hybrid clouds, and the economic benefits of cloud adoption
 
Azure Case Studies Check out these innovative Azure stories by world class companies
 
Azure free training Explore free online learning resources from videos to hands-on labs to help you build expertise in Azure
 
Azure Quickstart Templates Deploy Azure resources through the Azure Resource Manager with community contributed templates to get more done. Deploy, learn, fork and contribute back
https://github.com/Azure/azure-quickstart-templates
Azure support plans Explore the range of Azure support options
 
Azure Knowledge Base Get answers to common support questions
 
Microsoft Azure marketplace Browse the Azure Marketplace catalog
 
Azure Blog Hear from Azure experts and developers about the latest information, insights, announcements, and Azure news in the Microsoft Azure blog 23
 
 Questions?

CONFIDENTIAL
?