John Doe lllllll John Doe lllllll 1 COST

John Doe lllllll

John Doe lllllll #1 COST 686 K $12 M+

MESSAGES 2 FA verification code: 020987 + John Doe lllllll

High Security ? MESSAGES 2 FA verification code: 020987 Inconvenient Convenient John Doe lllllll Low Security

On the road to… S D R O W S S A P O N

Passwordless authentication User-friendly experience Enterprise grade security 37 M 200+

1 User authenticates with password + MFA, provides bio-gesture 2 Windows generates private & public key in the Trusted Platform Module (TPM) protected with bio-gesture + attestation blob 3 Windows sends public key + attestation blob 4 Azure AD verifies public key with attestation blob and registers the key with the user 5 Azure AD returns key ID to client 4 3 1 5 2 Windows 10 device

1 User sign-in with bio-gesture unlocks TPM holding private key 2 Windows sends “hello” 3 Azure AD sends back nonce 3 4 5 Windows uses private key to sign nonce and returns to Azure AD with key ID 2 5 Azure AD returns PRT + encrypted session key protected in TPM 6 Windows returns the signed PRT and derived session key to Azure AD to verify 4 6 1 Windows 10 device

+ Any device Device + Biometric Device unlock Microsoft account On-premises app Windows 10 or other OS Biometric on device Web app Azure Active Directory Microsoft Edge or other browser Microsoft Authenticator Saa. S service

Phone sign-in using Microsoft Authenticator janetsmith@contoso. com Passwordless authentication janetsmith@contoso. com Public / Private key exchange Contoso IT janetsmith@contoso. com

Just around the bend…

Phone sign-in using Microsoft Authenticator janetsmith@contoso. com Making sure it’s you Follow the instructions on the Microsoft Authenticator app and enter the number you see below. Passwordless authentication 4026 Cancel Public / Private key exchange Need Help? Contoso janetsmith@contoso. com © 2017 Microsoft Coming in Spring 2018 Terms of Use Privacy & Cookies

FIDO 2. 0 compliant POC ready (cloud-only) Device unlock Web Authentication

Standards-based, interoperable authentication Works with the same devices people use every day Based on public key cryptography Biometrics and keys never leave the device Protects against phishing, man-in-the-middle and replay attacks 2. 0

…and hundreds of industry partners

Add FIDO 2. 0 support Contoso janetsmith@contoso. com Great solution for Windows 7, Mac. OS, and Linux Coming in Summer 2018

Target release for production deployment Hybrid support Trusted user or employee self-service provisioning

1 2 3 4

+ Any device Device + Biometric Device unlock Microsoft account On-premises app Windows 10 or other OS Biometric on device Web app Azure Active Directory Microsoft Edge or other browser Microsoft Authenticator Saa. S service

Monday BRK 3020 What's new and upcoming in AD FS to securely sign-in your users to Office 365 and other applications OCCC Valencia W 415 CD Monday 4: 00– 5: 15 Sam Devasahayam Tuesday BRK 2019 Productivity and protection for your employees, partners, and customers with Azure Active Directory OCCC West Hall F 2 Tue 9: 00– 10: 15 Alex Simons Nasos Kladakis THR 2072 Migrate your apps from legacy APIs to Microsoft Graph OCCC South – Expo Theater #6 Tue 11: 35 -11: 55 Jeff Sakowicz, Dan Kershaw BRK 2017 Saying goodbye to passwords OCCC West Hall F 3 -4 Tue 12: 45 -1: 30 Alex Simons Manini Roy THR 2071 Managing enterprise applications, permissions, and consent in Azure Active Directory OCCC West Building Theater - Level 2 Tue 2: 10– 2: 30 Jeff Sakowicz BRK 1051 Locking down access to the Azure Cloud using SSO, Roles Based Access Control, and Conditional Access OCCC W 308 Tue 2: 15– 3: 30 Stuart Kwan

Thursday BRK 2018 Share corporate resources with your partners using Azure Active Directory B 2 B collaboration OCCC W 230 Thu 9: 00– 10: 15 Mary Lynch Sarat Subramaniam Laith Al Shamri BRK 3207 The keys to the cloud: Use Microsoft identities to sign in and access API from your mobile+web apps OCCC S 310 Thu 10: 45 -12: 00 Vittorio Bertocci BRK 3012 Secure access to Office 365, Saa. S and on-premises apps with Microsoft Enterprise Mobility + Security OCCC W 311 Thu 10: 45 -12: 00 Caleb Baker Chris Green BRK 3013 Ensure users have the right access with Azure Active Directory OCCC Valencia W 415 AB Thu 12: 30– 1: 45 Joseph Dadzie Mark Wahl BRK 3015 Deep-dive: Azure Active Directory Authentication and Single. Sign-On OCCC West Hall E 1 Thu 2: 15 -3: 30 John Craddock BRK 3014 Azure Active Directory best practices from around the world OCCC Valencia W 415 AB Thu 4: 00– 5: 15 Tarek Dawoud Mark Morowczynski OCCC W 314 Friday 9: 00 -9: 45 Saeed Akhter Friday BRK 2276 Modernize your customer identity management with Azure Active Directory B 2 C

Wednesday BRK 3388 Build applications to secure and manage your enterprise using Microsoft Graph OCCC S 210 Wed 09: 00 -09: 45 Jeff Sakowicz, Dan Kershaw BRK 3225 Office development: Authentication demystified OCCC W 315 Wed 10: 45– 12: 00 Vittorio Bertocci THR 2007 How to get Office 365 to the next level with Azure Active Directory Premium OCCC South – Expo Theater 10 Wed 12: 35 -12: 55 Brjann Brekkan BRK 3146 The power of common identity across any cloud OCCC W 240 Wed 12: 45 -1: 30 Sam Devasahayam THR 2126 Azure Active Directory: Your options explained from AD sync to pass through authentication & more OCCC West – Microsoft Ignite Studio Wed 1: 35 -1: 55 Alex Simons Simon May BRK 3352 Windows devices in Azure Active Directory: Why should I care? OCCC Valencia W 415 AB Wed 2: 15– 3: 30 Jairo Cadena BRK 3295 What’s new in Azure Active Directory Domain Services Hyatt Regency Windermere Z Wed 4: 00– 5: 15 Mahesh Unnikrishnan BRK 3016 Shut the door to cybercrime with Azure Active Directory riskbased identity protection OCCC Valencia W 415 CD Wed 4: 00– 5: 15 Alex Weinert Nitika Gupta

Thank you @alex_a_simons For more information microsoft. com/identity @manini_roy