Capabilities of MIM v Next and the areas
Capabilities of MIM v. Next and the areas we are investing in for the next release New capabilities in MIM v. Next improve protection from cyberattacks Microsoft Identity Manager (MIM) v. Next aligns with Azure Active Directory Premium Roadmap discussion and feedback
IAM – A Comprehensive Solution Microsoft Identity Manager Windows Server • Active Directory is the primary authentication source today across enterprises • Active Directory Federation Services integrates with Azure AD and MFA • Web Application Proxy provides at the edge preauthentication • Enforce conditional access to resources Identity Manager • Delivers self-service identity management • Automates lifecycle management across heterogeneous platforms • Provides a rich policy framework for enforcing corporate security policies for identity and access Azure Active Directory • Cloud directory • Cloud authentication • Azure Active Directory Premium includes Multi. Factor Authentication, and server and user CALs for Identity Manager
On-premises and private cloud Azure AD App Proxy Your apps Azure Active Directory
Identity Manager Capabilities Identity Manager Platform Scenarios Clients Portal Outlook Windows Custom Role Management Policies and Workflow Request Permission Auth. N Auth. Z Service DB Cloud Services Action Group Management Identity Stores Databases Directories Applications Certificate Management Identity Synchronization Password Reset
Modernization • Updated platform support • Certificate Management updated • Self-service account unlock added Privileged Access Mgmt. • Improved protection of admins • Just In Time (JIT) admin access • Auditing for alerts and reports Hybrid IAM • Self-service password reset with Azure MFA as a gate • Hybrid reporting • AAD and Office 365 integration
First Workstation Compromised Domain Admin Compromised Research & Preparation 24 -48 Hours Attack Discovered Data Exfiltration (Attacker Undetected) 11 -14 months
Prepare Which users have privileged access rights based on AD groups? Monitor Protect Additional auditing, alerts & reports, of privileged access requests Step-up lifecycle and Auth. N protection of privileged user accounts Operate Users can request Just In Time (JIT) and Just Enough administrator access privileges
“Jen” Existing Apps User access requests existing trust Existing FIM Optional Group “Resource Admins” Privileged Access Management Microsoft Identity Manager Configured for PAM trust for admin access Existing AD Forest(s) WS 2003 or later Group: Resource Admins Domain: CORP Candidate: Jen AD DS v. Next User: PRIVJen. Admin Groups: CORPResource Admins Refresh after: 60 minutes Time based memberships User “Jen. Admin”
Microsoft Identity Manager MIM Service MPR Auth. Z WF Action WF Power. Shell User Group PAM Role PAM Request MIM Service DB New-PAMRequest Event Log runas whoami /groups AD DS v. Next
Hybrid MIM reporting Hybrid Sync SSPR with Azure phone authentication O 365 integration
IAM Reporting & Auditing: Current State FIM activity reports delivered via System Center Service Manager FIM 2010 R 2
IAM Reporting & Auditing: Current State Azure AD activity reports delivered via Azure Portal Recently announced, PREVIEW
Reports show on FIM Service DB changes Adding scenario-based Reporting May require separate SQL and SCDW hosts Easier to deploy using cloud storage Reports ship as part of FIM major releases Reports can ship with Azure portal updates Custom reports requires SCDW skills Easier to generate custom reports
Hybrid Reporting: Unified Experience
Active Directory HR system New employee Departing employee Exchange LDAP MIM Oracle DB Finance Manager
Windows Server Active Directory Azure AD Sync Exchange Online HR system MIM Manager Microsoft Azure Active Directory LDAP Share. Point Online Oracle DB Azure Finance Saa. S app
Today CY 2015 Roadmap
We have added a new “Phone Gate” activity to implement additional phone auth. N as part of SSPR workflow
Self-service account unlock • With BYOD devices, accounts can become locked after password changes • Enable self service unlocking accounts (without password reset) Certificate Management modernization • Modern app for self-service • New REST API • OAuth 2 enabled • CM server support for AD multiforests Recent platform versions supported • Windows Server 2012 R 2 and later, SQL Server 2014, Share. Point 2013, Exchange 2013, Visual Studio 2013, . . .
ADFS Windows Store Application AD FS Auth. N with OAuth 2. 0 Windows (Install virtual smartcard) MIM CM Server REST API (OAuth 2. 0 protected) Windows device
AD Blog: http: //blogs. technet. com/b/ad/ MIM downloads: https: //connect. microsoft. com/site 433/
Tue, Oct 28 3: 15 PM-4: 30 PM EM-B 214 Privileged Access Management for Active Directory Wed, Oct 29 8: 30 AM-9: 45 AM EM-B 316 Directory Integration: Creating One Directory with Active Directory and Azure Active Directory Wed, Oct 29 3: 15 PM-4: 30 PM CDP-B 210 Cloud Identity: Microsoft Azure Active Directory Explained Wed, Oct 29 5: 00 PM-6: 15 PM EM-B 318 Free Your Apps: Introducing Microsoft Azure Active Directory Application Proxy and Windows Server Web Application Proxy Thu, Oct 30 10: 15 AM-11: 30 AM CDP-B 312 Microsoft Azure Active Directory Premium, in Depth Fri, Oct 31 2: 45 PM-4: 00 PM EM-B 313 Microsoft Azure Multi-Factor Authentication Deep Dive: Securing Access on Premises and in the Cloud Thu, Oct 30 12: 00 PM-1: 15 PM EM-B 310 Active Directory + BYOD = Peace of Mind Thu, Oct 30 5: 00 PM-6: 15 PM DEV-B 322 Building Web Apps and Mobile Apps Using Microsoft Azure Active Directory for Identity Management Fri, Oct 31 8: 30 AM-9: 45 AM CDP-B 207 Securing Organizations: Azure Active Directory Intelligence as a Differentiator
http: //channel 9. msdn. com/Events/Tech. Ed www. microsoft. com/learning http: //microsoft. com/technet http: //developer. microsoft. com
http: //aka. ms/enterprise mobilitysuite http: //aka. ms/microsoftintune http: //aka. ms/configmgr http: //aka. ms/hi http: //aka. ms/aip http: //aka. ms/virtualdesktop
- Slides: 41