How AD has been re-engineered to extend to the cloud

How AD has been re-engineered to extend to the

Cloud

Philippe Beraud, @philberdArchitect | Office of CTO | Microsoft France

How AD has been re-engineered to extend to the

Cloud

Philippe Beraud, @philberdArchitect | Office of CTO | Microsoft France

A Brief HistoryA Brief History

Over the years, there main models have emerged and coexist

1. Identity model of the "firewall age"• Concept of security and administrative domains/realms

• Collection of resources tightly integrated under a single and closed administration

• Age of organization’s directory services and NOS but also the beginning of meta-directories and other virtual directories to manage multiple identities silos

2. Identity model against the age of the Internet• Consideration of suppliers, customers, and partners as a different category of objects

BUT still in the same "administrative domain"

• Declaration of these objects in various repositories while having the need for a unified management

Over the years, there main models have emerged and coexist

1. Identity model of the "firewall age"• Concept of security and administrative domains/realms

• Collection of resources tightly integrated under a single and closed administration

• Age of organization’s directory services and NOS but also the beginning of meta-directories and other virtual directories to manage multiple identities silos

2. Identity model against the age of the Internet• Consideration of suppliers, customers, and partners as a different category of objects

BUT still in the same "administrative domain"

• Declaration of these objects in various repositories while having the need for a unified management

A Brief History (cont’d)A Brief History (cont’d)

Over the years, there main model have emerged and coexist

3. First generation of the identity ecosystem model• Concept of the so-called extended enterprise for collaboration

with suppliers and partners as well as the interaction with customers

• Age of Web SSO, of identity federation with a HUGE step crossed BUT ALSO a lot of complexities, of burdens, etc.

Over the years, there main model have emerged and coexist

3. First generation of the identity ecosystem model• Concept of the so-called extended enterprise for collaboration

with suppliers and partners as well as the interaction with customers

• Age of Web SSO, of identity federation with a HUGE step crossed BUT ALSO a lot of complexities, of burdens, etc.

About Windows Server Active Directory (AD)

About Windows Server Active Directory (AD)

Windows Server Active Directory (AD) represents an illustration of products and technologies that sustain these three models

• AD is an on-premises LDAP v3 (RFC 4510 compliant) Directory Service

• Active Directory Domain Services (AD DS)

• Active Directory Lightweight Domain Services (AD LDS)

• With complementary services

• Active Directory Federation Services (AD FS)

• Active Directory Certificate Services (AD CS)

• Active Directory Rights Management Services (AD RMS)

• Forefront Identity Management (FIM)

Windows Server Active Directory (AD) represents an illustration of products and technologies that sustain these three models

• AD is an on-premises LDAP v3 (RFC 4510 compliant) Directory Service

• Active Directory Domain Services (AD DS)

• Active Directory Lightweight Domain Services (AD LDS)

• With complementary services

• Active Directory Federation Services (AD FS)

• Active Directory Certificate Services (AD CS)

• Active Directory Rights Management Services (AD RMS)

• Forefront Identity Management (FIM)

Towards a New Identity ModelTowards a New Identity Model

Identity (and Access) Management as a Service (IdMaaS)• Commodities accessible to EVERYONE

• "Organization-owned" identity provider for applications wherever they run, whatever they are on any platform, on any device

• Central "hub" to provision/de-provision/manage users and their common devices• Consolidation with the on-premises environment, the SaaS/multi-tenant applications, etc.

• Seamless federation and synchronization with on-premises directory services

• Multi-factor authentication

• Replace the today complexity at the application level by an IdMaaS feature

• Combine the most advanced capabilities with operations externalization to achieve a reduction in risk, effort and cost

• Control or even reduce costs by taking full advantage of the efficiency of the Cloud and automation

Identity (and Access) Management as a Service (IdMaaS)• Commodities accessible to EVERYONE

• "Organization-owned" identity provider for applications wherever they run, whatever they are on any platform, on any device

• Central "hub" to provision/de-provision/manage users and their common devices• Consolidation with the on-premises environment, the SaaS/multi-tenant applications, etc.

• Seamless federation and synchronization with on-premises directory services

• Multi-factor authentication

• Replace the today complexity at the application level by an IdMaaS feature

• Combine the most advanced capabilities with operations externalization to achieve a reduction in risk, effort and cost

• Control or even reduce costs by taking full advantage of the efficiency of the Cloud and automation

Windows Azure Active DirectoryWindows Azure Active Directory

Projecting Identities in the Cloud withProjecting Identities in the Cloud with

Windows Azure Active Directory (AAD)Windows Azure Active Directory (AAD)

AAD is NOT on-premises Windows Server AD in the Cloud

AAD is an enterprise-class IdMaaS cloud-based solution• AAD offers a large set of features at NO cost

AAD is the Directory Service for Microsoft’s Online services• Office 365, Dynamics CRM Online, Windows Intune, and now the Windows

Azure Portal

Microsoft Account (Live ID) is yet ANOTHER identity infrastructure

AAD is NOT on-premises Windows Server AD in the Cloud

AAD is an enterprise-class IdMaaS cloud-based solution• AAD offers a large set of features at NO cost

AAD is the Directory Service for Microsoft’s Online services• Office 365, Dynamics CRM Online, Windows Intune, and now the Windows

Azure Portal

Microsoft Account (Live ID) is yet ANOTHER identity infrastructure

AAD Design Principles (cont’d)AAD Design Principles (cont’d)

Such a Cloud-based service requires specific capabilities• Optimization of availability, consistent performances, scalability, geo-redundancy, etc.

but NOT only

AAD is a multi-tenant environment• "Organization-owned“ tenant - The customer organization owns the data of their

directory, NOT Microsoft

AAD relies on a schema• For the semi-structured information on entities and their relationships

AAD does not allow for custom schema

AAD will however provide the ability for attribute extensions, links to (external) resources, etc.

• As per Windows Azure Graph Store capabilities (Preview)

Such a Cloud-based service requires specific capabilities• Optimization of availability, consistent performances, scalability, geo-redundancy, etc.

but NOT only

AAD is a multi-tenant environment• "Organization-owned“ tenant - The customer organization owns the data of their

directory, NOT Microsoft

AAD relies on a schema• For the semi-structured information on entities and their relationships

AAD does not allow for custom schema

AAD will however provide the ability for attribute extensions, links to (external) resources, etc.

• As per Windows Azure Graph Store capabilities (Preview)


AAD aims at maximizing the reach in terms of platforms and devices

• AAD uses http/web/REST-based modern protocols for identity and access management

AAD provides RESTful interface for CRUD operations• Directory Graph API provides a programmatic access to directory typed

objects and their relationships

• GET, POST, PATCH, DELETE are used to create, read, update, and delete• Response supports JSON, XML, standard HTTP status codes• Compatible with OASIS OData

• Directory Graph API supports OAuth 2.0 for authentication role-based assignment for apps and user authorization

• Operations are scoped to individual tenant context

AAD aims at maximizing the reach in terms of platforms and devices

• AAD uses http/web/REST-based modern protocols for identity and access management

AAD provides RESTful interface for CRUD operations• Directory Graph API provides a programmatic access to directory typed

objects and their relationships

• GET, POST, PATCH, DELETE are used to create, read, update, and delete• Response supports JSON, XML, standard HTTP status codes• Compatible with OASIS OData

• Directory Graph API supports OAuth 2.0 for authentication role-based assignment for apps and user authorization

• Operations are scoped to individual tenant context

Graph Explorer browser based query toolhttp://graphexplorer.cloudapp.net

Graph Explorer browser based query toolhttp://graphexplorer.cloudapp.net

Demo 1Demo 1


AAD is not AD or LDAP in the cloud BUT there are four aspects to LDAP:

• LDAP – network communications protocol (389/636)

• AAD supports a RESTful-based Directory Graph API over HTTP/S (and PowerShell) (w/OAuth2) instead of LDAP or Kerberos

http://msdn.microsoft.com/en-us/library/windowsazure/hh974476.aspx

• LDAP – object data model with inheritance

• AAD supports the Graph Entity Data model with inheritance

http://msdn.microsoft.com/en-us/library/ee382825.aspx

• LDAP – layout (namespace) is hierarchical (i.e. ou=)

• AAD is a flat name space, that includes groups and abstract containers, in a multi-tenant environment

http://msdn.microsoft.com/en-us/library/ee382835(v=vs.110).aspx

• LDAP – distribution model aka replication

• AAD is a manage service with geo-redundancy

AAD is not AD or LDAP in the cloud BUT there are four aspects to LDAP:

• LDAP – network communications protocol (389/636)

• AAD supports a RESTful-based Directory Graph API over HTTP/S (and PowerShell) (w/OAuth2) instead of LDAP or Kerberos

http://msdn.microsoft.com/en-us/library/windowsazure/hh974476.aspx

• LDAP – object data model with inheritance

• AAD supports the Graph Entity Data model with inheritance

http://msdn.microsoft.com/en-us/library/ee382825.aspx

• LDAP – layout (namespace) is hierarchical (i.e. ou=)

• AAD is a flat name space, that includes groups and abstract containers, in a multi-tenant environment

http://msdn.microsoft.com/en-us/library/ee382835(v=vs.110).aspx

• LDAP – distribution model aka replication

• AAD is a manage service with geo-redundancy

AAD Key ScenariosAAD Key Scenarios

Many applications, one identity repository.

Manage access to

cloud applications.

Monitor and protect access to enterprise applications.

Personalized access to my applications.

SaaS apps

Many applications, one identity repositoryMany applications, one identity repository

Preintegrated popular SaaS apps.

Easily add custom cloud-based apps. Facilitate developers with identity management.

Connect and sync Windows Server Active Directory (or other (LDAP) identity infrastructure) with an AAD tenant.

Windows Server Active Directory(or other (LDAP)

identity infrastructure)

Consumer identity providers

SaaS apps LOB & custom apps

Identities and applications in one place.

One identity repository for the best UXOne identity repository for the best UX

Demo 2Demo 2

Deliver a seamless user authentication experienceDeliver a seamless user authentication experience

User attributes are synchronized including the password hash, authentication is completed against AAD

Directory synchronizatio

n

On-premises Identity provider

Directory synchronization with password hash sync

User attributes are synchronized, authentication is passed back through federation and completed against the on-premises identity federation infrastructure

Cloud Authentication

Federated Authentication

Multi-Factor Authentication can be configured through Windows Azure

Multi-Factor Authentication can be configured through the integration with Windows Azure or thanks to other capability





Synchronize the identities with LDAP-based directoriesSynchronize the identities with LDAP-based directories

The FIM 2010 R2 synchronization engine can be leveraged• AAD Connector available on Microsoft Connect

https://connect.microsoft.com/site433/FIM%20Sync%20Connectors

• Generic LDAP v3 (RFC 4510 compliant) Connector Beta available on Microsoft Connect

• Certain operations, such as delta import, are not specified in the IETF RFCs. Supported Directories for Delta import and Password : Open LDAP, Novell NDS

• LDAP referrals between servers (RFC 4511/4.1.10) are not supported


• OpenLDAP Extensible Management Agent (XMA) available on Source Forge

http://openldap-xma.sourceforge.net/

The FIM 2010 R2 synchronization engine can be leveraged• AAD Connector available on Microsoft Connect


• Generic LDAP v3 (RFC 4510 compliant) Connector Beta available on Microsoft Connect

• Certain operations, such as delta import, are not specified in the IETF RFCs. Supported Directories for Delta import and Password : Open LDAP, Novell NDS

• LDAP referrals between servers (RFC 4511/4.1.10) are not supported


• OpenLDAP Extensible Management Agent (XMA) available on Source Forge

http://openldap-xma.sourceforge.net/

Manage access to many cloud applicationsManage access to many cloud applications

SaaS appsCentralized access administration for preintegrated SaaS apps and other Cloud-based apps.

Secure business processes with advanced access management capabilities.

Comprehensive identity and access management console.

Your cloud apps ready when you are.

IT professional

SaaS apps

Windows Azure Management PortalWindows Azure Management Portal

Demo 3Demo 3

Application Access Enhancements

for Windows Azure Active Directory

Application Access Enhancements

for Windows Azure Active Directory

Demo 4Demo 4

Granting Access for a SaaS multi-tenant appsGranting Access for a SaaS multi-tenant apps

Demo 5Demo 5

Monitor and protect access to enterprise appsMonitor and protect access to enterprise apps

Security reporting that tracks inconsistent access patterns.

Built-in security features.

Ensure secure access and visibility on usage patterns for SaaS and cloud-hosted LOB applications.

Step up to Multi-Factor authentication.

X X X X X

X X X X X

X X X X X

Windows Azure Multi-Factor AuthenticationWindows Azure Multi-Factor Authentication

Demo 6Demo 6

Personalized access to my applicationsPersonalized access to my applications

Single Sign On experience for all SaaS applications.

Use Access Panel from all devices with your existing credentials.

All assigned SaaS apps in one web page: The Access Panel.

Users can easily access the SaaS apps they need, using their existing credentials.

User Access PanelUser Access Panel

Demo 7Demo 7

Identities everywhere, accessing everything

Identities everywhere, accessing everything

Consumer identity providers

PCs and devices

Windows Server Active Directory (or other (LDAP)


Microsoft apps

3rd party clouds/hosting

ISV/CSV apps

Custom LOB apps


Manage access to

cloud applications.



• IdMaaS directory on Windows Azure.

• Connect/ synchronize on-premises directories with Windows Azure.

• Provide IdMto new apps (ACS, Graph API, SDKs).

• Manage Users.• Add Cloud-

based applications for SSO.

• Build-in security.

• Secure tools for synchronization (DirSync, AAD connector).

• Block user access.

•SaaS apps


Manage access to

cloud applications.



SaaS apps

• IdMaaS directory on Windows Azure.

• Connect/ synchronize on-premises directories with Windows Azure.

• Provide IdMto new apps (ACS, Graph API, SDKs).

• Manage Users.• Add Cloud-

based applications for SSO.

• Build-in security.

• Secure tools for synchronization (DirSync, AAD connector, etc.).

• Block user access.

• Multi-factor authentication.

•

• Preintegrated popular SaaS applications (Preview).

• Add preintegrated SaaS apps from the gallery for SSO (Preview).

• Add/Remove users to top preintegrated SaaS apps (Preview).

• Security reports (Preview).

• Single screen with assigned SaaS apps for every user: Access Panel (Preview).

• Single Sign on for SaaS apps from Access Panel (Preview).

In GA since April, 2013In GA since April, 2013

Sign-up for your free AAD tenant and trial Windows Azure account

• https://account.windowsazure.com/organization

Sign-up for your free AAD tenant and trial Windows Azure account

• https://account.windowsazure.com/organization

To Go BeyondTo Go Beyond

Places to start• http://www.windowsazure.com/en-us/solutions/identity/

• http://channel9.msdn.com/search?term=directory

Microsoft TechNet Documentation• http://go.microsoft.com/fwlink/p/?linkid=290967

Microsoft MSDN Documentation• http://go.microsoft.com/fwlink/p/?linkid=290966

Microsoft Active Directory Team Blog• http://blogs.msdn.com/b/active_directory_team_blog

Windows Azure Active Directory Graph Team Blog• http://blogs.msdn.com/aadgraphteam

Places to start• http://www.windowsazure.com/en-us/solutions/identity/

• http://channel9.msdn.com/search?term=directory

Microsoft TechNet Documentation• http://go.microsoft.com/fwlink/p/?linkid=290967

Microsoft MSDN Documentation• http://go.microsoft.com/fwlink/p/?linkid=290966

Microsoft Active Directory Team Blog• http://blogs.msdn.com/b/active_directory_team_blog

Windows Azure Active Directory Graph Team Blog• http://blogs.msdn.com/aadgraphteam

Whitepapers and Step-by-step GuidesWhitepapers and Step-by-step Guides

Available on the Microsoft Download Center

Office 365 Single Sign-On with AD FS 2.0

Office 365 Single Sign-On with Shibboleth 2.0

Active Directory from the on-premises to the Cloud

Office 365 Adapter: Deploying Office 365 Single Sign-On using Windows Azure

Additional ResourcesAdditional Resources

Windows Azure Trust Center

• A single location where are aggregated information on security, privacy, and compliance

http://www.windowsazure.com/en-us/support/trust-center/

Windows Azure Trust Center

• A single location where are aggregated information on security, privacy, and compliance

http://www.windowsazure.com/en-us/support/trust-center/

Additional Resources (cont’d) Additional Resources (cont’d)

http://www.microsoft.com/openness

http://msopentech.com

http://www.microsoft.com/openness

http://msopentech.com

Thank you!Thank you!

How AD has been re-engineered to extend to the cloud

Technology

site433fim20sync20connectors

taking full

dynamics crm

response supports

administrative

individual

idmaas feature

based modern