How AD has been re- engineered to extend to the Cloud Philippe Beraud, @philberd Architect | Office of CTO | Microsoft France How AD has been re- engineered to extend to the Cloud Philippe Beraud, @philberd Architect | Office of CTO | Microsoft France
33
Embed
How AD has been re-engineered to extend to the cloud
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
How AD has been re-engineered to extend to the
Cloud
Philippe Beraud, @philberdArchitect | Office of CTO | Microsoft France
How AD has been re-engineered to extend to the
Cloud
Philippe Beraud, @philberdArchitect | Office of CTO | Microsoft France
A Brief HistoryA Brief History
Over the years, there main models have emerged and coexist
1. Identity model of the "firewall age"• Concept of security and administrative domains/realms
• Collection of resources tightly integrated under a single and closed administration
• Age of organization’s directory services and NOS but also the beginning of meta-directories and other virtual directories to manage multiple identities silos
2. Identity model against the age of the Internet• Consideration of suppliers, customers, and partners as a different category of objects
BUT still in the same "administrative domain"
• Declaration of these objects in various repositories while having the need for a unified management
Over the years, there main models have emerged and coexist
1. Identity model of the "firewall age"• Concept of security and administrative domains/realms
• Collection of resources tightly integrated under a single and closed administration
• Age of organization’s directory services and NOS but also the beginning of meta-directories and other virtual directories to manage multiple identities silos
2. Identity model against the age of the Internet• Consideration of suppliers, customers, and partners as a different category of objects
BUT still in the same "administrative domain"
• Declaration of these objects in various repositories while having the need for a unified management
A Brief History (cont’d)A Brief History (cont’d)
Over the years, there main model have emerged and coexist
3. First generation of the identity ecosystem model• Concept of the so-called extended enterprise for collaboration
with suppliers and partners as well as the interaction with customers
• Age of Web SSO, of identity federation with a HUGE step crossed BUT ALSO a lot of complexities, of burdens, etc.
Over the years, there main model have emerged and coexist
3. First generation of the identity ecosystem model• Concept of the so-called extended enterprise for collaboration
with suppliers and partners as well as the interaction with customers
• Age of Web SSO, of identity federation with a HUGE step crossed BUT ALSO a lot of complexities, of burdens, etc.
About Windows Server Active Directory (AD)
About Windows Server Active Directory (AD)
Windows Server Active Directory (AD) represents an illustration of products and technologies that sustain these three models
• AD is an on-premises LDAP v3 (RFC 4510 compliant) Directory Service
• Active Directory Domain Services (AD DS)
• Active Directory Lightweight Domain Services (AD LDS)
• With complementary services
• Active Directory Federation Services (AD FS)
• Active Directory Certificate Services (AD CS)
• Active Directory Rights Management Services (AD RMS)
• Forefront Identity Management (FIM)
Windows Server Active Directory (AD) represents an illustration of products and technologies that sustain these three models
• AD is an on-premises LDAP v3 (RFC 4510 compliant) Directory Service
• Active Directory Domain Services (AD DS)
• Active Directory Lightweight Domain Services (AD LDS)
• With complementary services
• Active Directory Federation Services (AD FS)
• Active Directory Certificate Services (AD CS)
• Active Directory Rights Management Services (AD RMS)
• Forefront Identity Management (FIM)
Towards a New Identity ModelTowards a New Identity Model
Identity (and Access) Management as a Service (IdMaaS)• Commodities accessible to EVERYONE
• "Organization-owned" identity provider for applications wherever they run, whatever they are on any platform, on any device
• Central "hub" to provision/de-provision/manage users and their common devices• Consolidation with the on-premises environment, the SaaS/multi-tenant applications, etc.
• Seamless federation and synchronization with on-premises directory services
• Multi-factor authentication
• Replace the today complexity at the application level by an IdMaaS feature
• Combine the most advanced capabilities with operations externalization to achieve a reduction in risk, effort and cost
• Control or even reduce costs by taking full advantage of the efficiency of the Cloud and automation
Identity (and Access) Management as a Service (IdMaaS)• Commodities accessible to EVERYONE
• "Organization-owned" identity provider for applications wherever they run, whatever they are on any platform, on any device
• Central "hub" to provision/de-provision/manage users and their common devices• Consolidation with the on-premises environment, the SaaS/multi-tenant applications, etc.
• Seamless federation and synchronization with on-premises directory services
• Multi-factor authentication
• Replace the today complexity at the application level by an IdMaaS feature
• Combine the most advanced capabilities with operations externalization to achieve a reduction in risk, effort and cost
• Control or even reduce costs by taking full advantage of the efficiency of the Cloud and automation
Windows Azure Active DirectoryWindows Azure Active Directory
Projecting Identities in the Cloud withProjecting Identities in the Cloud with
Windows Azure Active Directory (AAD)Windows Azure Active Directory (AAD)
AAD is NOT on-premises Windows Server AD in the Cloud
AAD is an enterprise-class IdMaaS cloud-based solution• AAD offers a large set of features at NO cost
AAD is the Directory Service for Microsoft’s Online services• Office 365, Dynamics CRM Online, Windows Intune, and now the Windows
Azure Portal
Microsoft Account (Live ID) is yet ANOTHER identity infrastructure
AAD is NOT on-premises Windows Server AD in the Cloud
AAD is an enterprise-class IdMaaS cloud-based solution• AAD offers a large set of features at NO cost
AAD is the Directory Service for Microsoft’s Online services• Office 365, Dynamics CRM Online, Windows Intune, and now the Windows
Azure Portal
Microsoft Account (Live ID) is yet ANOTHER identity infrastructure
AAD aims at maximizing the reach in terms of platforms and devices
• AAD uses http/web/REST-based modern protocols for identity and access management
AAD provides RESTful interface for CRUD operations• Directory Graph API provides a programmatic access to directory typed
objects and their relationships
• GET, POST, PATCH, DELETE are used to create, read, update, and delete• Response supports JSON, XML, standard HTTP status codes• Compatible with OASIS OData
• Directory Graph API supports OAuth 2.0 for authentication role-based assignment for apps and user authorization
• Operations are scoped to individual tenant context
AAD aims at maximizing the reach in terms of platforms and devices
• AAD uses http/web/REST-based modern protocols for identity and access management
AAD provides RESTful interface for CRUD operations• Directory Graph API provides a programmatic access to directory typed
objects and their relationships
• GET, POST, PATCH, DELETE are used to create, read, update, and delete• Response supports JSON, XML, standard HTTP status codes• Compatible with OASIS OData
• Directory Graph API supports OAuth 2.0 for authentication role-based assignment for apps and user authorization
• Operations are scoped to individual tenant context
Graph Explorer browser based query toolhttp://graphexplorer.cloudapp.net
Graph Explorer browser based query toolhttp://graphexplorer.cloudapp.net
Monitor and protect access to enterprise applications.
Personalized access to my applications.
SaaS apps
Many applications, one identity repositoryMany applications, one identity repository
Preintegrated popular SaaS apps.
Easily add custom cloud-based apps. Facilitate developers with identity management.
Connect and sync Windows Server Active Directory (or other (LDAP) identity infrastructure) with an AAD tenant.
Windows Server Active Directory(or other (LDAP)
identity infrastructure)
Consumer identity providers
SaaS apps LOB & custom apps
Identities and applications in one place.
One identity repository for the best UXOne identity repository for the best UX
Demo 2Demo 2
Deliver a seamless user authentication experienceDeliver a seamless user authentication experience
User attributes are synchronized including the password hash, authentication is completed against AAD
Directory synchronizatio
n
On-premises Identity provider
Directory synchronization with password hash sync
User attributes are synchronized, authentication is passed back through federation and completed against the on-premises identity federation infrastructure
Cloud Authentication
Federated Authentication
Multi-Factor Authentication can be configured through Windows Azure
Multi-Factor Authentication can be configured through the integration with Windows Azure or thanks to other capability
Windows Server Active Directory(or other (LDAP)
identity infrastructure)
Windows Server Active Directory(or other (LDAP)
identity infrastructure)
Synchronize the identities with LDAP-based directoriesSynchronize the identities with LDAP-based directories
The FIM 2010 R2 synchronization engine can be leveraged• AAD Connector available on Microsoft Connect
• Generic LDAP v3 (RFC 4510 compliant) Connector Beta available on Microsoft Connect
• Certain operations, such as delta import, are not specified in the IETF RFCs. Supported Directories for Delta import and Password : Open LDAP, Novell NDS
• LDAP referrals between servers (RFC 4511/4.1.10) are not supported
• Generic LDAP v3 (RFC 4510 compliant) Connector Beta available on Microsoft Connect
• Certain operations, such as delta import, are not specified in the IETF RFCs. Supported Directories for Delta import and Password : Open LDAP, Novell NDS
• LDAP referrals between servers (RFC 4511/4.1.10) are not supported