Enterprise Mobility Security The Microsoft vision Identity Driven

Enterprise Mobility + Security The Microsoft vision Identity Driven Security Users Employees Devices Apps Business partners Data Customers Managed Mobile Productivity Comprehensive Solution

Customers Partners Windows Server Active Directory Other directories Simple connection Self-service Single sign-on Azure Saa. S Public cloud On-premises Microsoft Azure Active Directory Cloud

• Microsoft “Identity Management as a Service (IDaa. S)” for organizations. • Millions of independent identity systems controlled by enterprise and government “tenants. ” • Information is owned and used by the controlling organization—not by Microsoft. • Born-as-a-cloud directory for Office 365. Extended to manage across many clouds. • Evolved to manage an organization’s relationships with its customers/citizens and partners (B 2 C and B 2 B). 85% of Fortune 500 companies use Microsoft Cloud (Azure, O 365, CRM Online, and Power. BI) 33, 000 Enterprise Mobility + Security | Azure AD Premium enterprise customers Azure AD Directories >10 M >110 k third-party applications used with Azure AD each month More than 750 M user accounts on Azure AD >1. 3 billion authentications every day on Azure AD Every Office 365 and Microsoft Azure customer uses Azure Active Directory

Cloud Managed Azure Active Directory Password Hash Sync Azure Active Directory Azure AD Connect sync On-Premises Identity Pros: No deployment time, No onpremises equipment. Cons: no SSO and Identity lifecycle integration with directory on premises Federated Identity Pros: Quick to deploy, same password as on-premises Cons: Currently Not Desktop SSO AD FS Ping Federate Azure AD Connect sync 3 rd Party Federated Azure Active Directory Federation Provisioning On-Premises Identity Pros: Windows Integrated Desktop SSO, Client access control, 3 rd Party MFA integration. End to End ongoing, validation and support with Office 365 Pros: 3 rd party tools and services pretested for basic auth scenarios with WS-Fed Cons: On premises deployment Cons: Second directory store in cloud. Multiple support channels Provisioning only using Power. Shell and Graph API

Azure Active Directory Identity synchronization with password (hash) sync User attributes are synchronized using Azure AD Connect, including a password hash; authentication is completed against Azure Active Directory *Preview: Single Sign On for synchronized AD users End User Experience IT Pro / Admin Experience Sign on to AD and Azure AD required. Same password. Azure AD Connect is all you need * SSO for synchronized users provides seamless auth to Azure AD from domain joined PC Self Service Password Reset of AD password with Azure AD Premium * See session BRK 3107

Identity synchronization Azure Active Directory AD FS End User Experience IT Pro / Admin Experience All authentication to on premises AD Azure AD Connect Seamless single sign on from domain joined PC’s AD FS and AD FS Proxy installed on premises Self Service Password Reset of AD password with Azure AD Premium Credentials not stored in Azure AD User attributes are synchronized using Azure AD Connect; authentication is passed back through federation and completed against Windows Server Active Directory

Identity synchronization Azure Active Directory User attributes are synchronized using identity synchronization tools; authentication passed on to on premises and completed against Windows Server Active Directory Authentication Agent End User Experience IT Pro / Admin Experience All authentication to on premises AD Azure AD Connect Seamless single sign on from domain joined PC’s Authentication agent connects to Azure AD to handle auth to AD Self Service Password Reset of AD password with Azure AD Premium Credentials not stored in Azure AD * See session BRK 3107

https: //blogs. technet. microsoft. com/enterprise mobility/2016/01/05/best-way-to-connect-tooffice-365 -and-azure-ad-latest-data-azure-adconnect-momentum/

https: //blogs. technet. microsoft. com/enterprise mobility/2016/01/05/best-way-to-connect-tooffice-365 -and-azure-ad-latest-data-azure-adconnect-momentum/

A. No, Multiple AD Forests can be connected to one Azure AD B. Highly recommended to not have multiple tenants for same organization A. Yes, can mix both on premises and cloud only A. Yes, tools using Power. Shell and A. Yes, one Azure AD tenants supports hundreds of unique domain names Graph API supports Create, Update, Delete of users and groups B. Azure AD Connect is integrated with Office 365 services and applications so only tool that supports hybrid environments

Identity and access management Enterprise Mobility + Security Managed mobile productivity Azure AD for O 365 + MDM for O 365 + • Single sign-on for all apps • PC management • Conditional Access, Advanced MFA • Mobile app management (prevent cut/copy/paste/save as from corporate apps to personal apps) • Self-service group management & password reset & write back • Dynamic Groups, Group based licensing assignment • Secure content viewers • Certificate provisioning • Advanced security reports • System Center integration Basic identity mgmt via Azure AD for O 365: • Single sign-on for O 365 Basic mobile device management via MDM for O 365 Information protection RMS for O 365 + • Automated intelligent classification and labeling of data • Tracking and notifications for shared documents • Protection for on-premises Windows Server file shares Identity-driven security Cloud App Security • Visibility and control for all cloud apps Advanced Threat Analytics • Identify advanced threats in on premises identities Azure AD Premium P 2 • Risk based conditional access RMS protection via RMS for O 365 Advanced Security Management • Basic multi-factor authentication (MFA) for O 365 • Device settings management • Protection for content stored in Office (on-premises or O 365) • Insights into suspicious activity in Office 365 • Selective wipe • Access to RMS SDK • MFA for Administrators • Built into O 365 management console • Bring your own key

1000 s of apps, 1 identity Enable business without borders Manage access at scale Cloud-powered protection Provide one persona to the workforce for SSO to 1000 s of cloud and on-premises apps Stay productive with universal access to every app and collaboration capability Manage identities and access at scale in the cloud and on-premises Ensure user and admin accountability with better security and governance • Cloud-connected seamless authentication experience • Ease of use for end users / Integration with Office • Advanced user lifecycle management • Single sign-on to 1000 s preintegrated apps/ Your own apps • Cross-organization collaboration • Low IT overhead • Any time, any place productivity with Windows 10 • Monitor your identity bridge • Secure remote access to on-premises apps • SSO to mobile apps • Support for lift-and-shift to the cloud • Support for consumer facing applications • Control access to resources • Safeguard user authentication • Respond to advanced threats with risk-based policies and monitoring • Mitigate administrative risks • Governance of on-premises and cloud identities

• • My Identity is protected against fraudulent activities

OTHER DIRECTORIES Microsoft Azure Connect and sync on-premises directories with Azure 2600+ pre-integrated popular Saa. S apps and self-service integration via templates Easily publish on-premises web apps via Application Proxy + custom apps Saa. S apps Web apps (Azure Active Directory Application Proxy) Integrated custom apps

Conditions User, App sensitivity Actions Allow access or Device state User Location Enforce MFA per user/per app Risk Block access MFA

Mobile apps Phone calls Text messages

CLOUD-POWERED PROTECTION Discover, restrict, and monitor privileged identities Enforce on-demand, just-in-time administrative access when needed Provides more visibility through alerts, audit reports and access reviews Global Administrator Billing Administrator Exchange Administrator User Administrator Password Administrator

Use the power of Identity Protection in Power. BI, SIEM and other monitoring tools Infected devices Brute force attacks Configuration vulnerabilities Leaked credentials Suspicious sign-in activities Notifications Security/Monitoring/Reporting Solutions Data Extracts/Downloads Reporting APIs Microsoft machine - learning engine Apply Microsoft learnings to your existing security tools

End User experiences Access apps from Office Protected access to Share. Point Online Extend to other Saa. S Administrative experiences Conditional Access On Premises Share. Point setup *Assigning licenses to users

1000 s of apps, 1 identity Enable business without borders Manage access at scale Cloud-powered protection Provide one persona to the workforce for SSO to 1000 s of cloud and on-premises apps Stay productive with universal access to every app and collaboration capability Manage identities and access at scale in the cloud and on-premises Ensure user and admin accountability with better security and governance • Cloud-connected seamless authentication experience • Ease of use for end users /Integration with Office • Advanced user lifecycle management • Single sign-on to 1000 s preintegrated apps/ Your own apps • Cross-organization collaboration • Low IT overhead • Any time, any place productivity with Windows 10 • Monitor your identity bridge • Secure remote access to on-premises apps • SSO to mobile apps • Support for lift-and-shift to the cloud • Support for consumer facing applications • Control access to resources • Safeguard user authentication • Respond to advanced threats with risk-based policies and monitoring • Mitigate administrative risks • Governance of on-premises and cloud identities

Directory as a service No object limit Yes Yes 10 apps per user (pre-integrated Saa. S and developerintegrated apps) 10 apps per user (free tier + Application proxy apps) No limit (free, Basic tiers + Self. Service App Integration templates) 10 apps per user (preintegrated Saa. S and developer -integrated apps) Self-service password change for cloud users Yes Yes Connect (sync engine that extends on-premises directories to Azure Active Directory) Yes Yes User/group management (add/update/delete)/user-based provisioning, device registration, User-based access management/provisioning, Basic Security/usage reports Singe Sign On Premium + basic features Premium features No object limit for Office 365 user accounts 500, 000 object limit Group-based access management/provisioning – Provisioning customization Yes Self-service password reset for cloud users Yes Yes Company branding (logon pages/access panel customization) Yes Yes Application Proxy Yes SLA Yes Self-Service Group and app Management/Self-Service application additions/ Dynamic Groups P 1, P 2 Self-service password reset/change/account unlock with on-premises write-back P 1, P 2 Advanced usage reporting P 1, P 2 Multi-factor authentication (cloud and on-premises (MFA server)) P 1, P 2 MIM CAL + MIM server P 1, P 2 Cloud app discovery P 1, P 2 Automated password rollover P 1, P 2 Connect Health P 1, P 2 Conditional Access (User, Application, Location, Device rules) P 1, P 2 Identity Protection P 2 Privileged Identity Management P 2 Yes Limited cloud only for Office 365 apps Azure Active Directory Join – Windows 10 only related features Yes MDM auto-enrolment, Self-Service Bitlocker recovery, Additional local administrators to Windows 10 devices via Azure AD Join, Enterprise State Roaming Yes Yes

BRK 2139 Protect your business and empower your users with cloud Identity and Access Management BRK 3107 Connect your on-premises directories to Azure AD and use one identity for all your apps BRK 3225 Secure access to Office 365, Saa. S, and on-premises apps and files with Azure AD and Intune BRK 3019 Manage Office 365 Groups • 04: 30: BRK 3109 Deliver management and security at scale to Office 365 with Azure Active Directory BRK 3111 Manage productivity at scale with Azure Active Directory BRK 2170 Learn how Unilever modernized IT with Azure Active Directory at the core BRK 3139 Throw away your DMZ – Azure Active Directory Application Proxy deep-dive BRK 3181 Secure your web applications with Microsoft identity BRK 3252 Use managed domain services on Microsoft Azure BRK 3182 Secure your native and mobile applications with Microsoft identity and application management BRK 3110 Respond to advanced threats before they start - identity protection at its best! BRK 3179 Modernize your app’s consumer identity management with Azure AD B 2 C BRK 2067 Manage access to Saa. S Applications With Azure Active Directory BRK 3074 Discover what’s new in Active Directory Federation and Domain Services in Windows Server 2016 BRK 3108 Share corporate resources with your partners using Azure AD B 2 B collaboration BRK 3330 Join your Windows 10 devices to Azure AD for anywhere, anytime productivity

Try Enterprise Mobility + Security for free, today: www. microsoft. com/en-us/cloud-platform/enterprise-mobility-trial Read the CIO’s guide to Azure Active Directory https: //info. microsoft. com/CIOs. Guide. To. Azure. AD. html? ls=Website Explore Identity + Access Management www. microsoft. com/identity Learn more from the Azure AD documentation library https: //docs. microsoft. com/en-us/active-directory/ Discover Password best practices https: //info. microsoft. com/Microsoft. Password. Guidance. html? ls=Website Check out the new Azure AD webinars https: //info. microsoft. com/AADP-Webinar-CLE_AADP-Main-Landing-Page. html? ls=Media Microsoft is a leader in Gartner's IDaa. S MQ 2016 https: //info. microsoft. com/EMS-IDaa. S-MQ-2016. html? ls=Website Playbook with guidelines on enabling Azure AD Premium http: //aka. ms/aadpocplaybook

www. microsoft. com/itprocareercenter www. microsoft. com/itprocloudessentials www. microsoft. com/mechanics https: //techcommunity. microsoft. com

http: //myignite. microsoft. com https: //aka. ms/ignite. mobileapp

CLOUD-POWERED PROTECTION MFA for Office 365/Azure Administrators Azure Multi-Factor Authentication Administrators can enable/enforce MFA to end users Yes Use mobile app (online and OTP) as second authentication factor Yes Use phone call as second authentication factor Yes Use SMS as second authentication factor Yes Application passwords for non-browser clients (e. g. , Outlook, Lync) Yes Default Microsoft greetings during authentication phone calls Yes Suspend MFA from known devices Yes Custom greetings during authentication phone calls Yes Fraud alert Yes MFA SDK Yes Security reports Yes MFA for on-premises applications/ MFA server Yes One-time bypass Yes Block/Unblock users Yes Customizable caller ID for authentication phone calls Yes Event confirmation Yes Trusted IPs Yes