Overview of Azure Active Directory for app access

Overview of Azure Active Directory for app access Integration with third party Saa. S apps User provisioning and federation

A comprehensive identity and access management cloud solution. It combines directory services, advanced identity governance, application access management and a rich standards-based platform for developers. Azure Active Directory Premium is an advanced offering that includes IAM capabilities for on-premises, hybrid and cloud environments.

Active Directory Microsoft apps Active Directory Other Directories Non-MS cloud-based apps PCs and devices

Dir. Sync AAD Sync ADFS Other Id. P Azure Power. Shell Third party APIs Azure AD SAML Open. ID Connect SDKs

Preintegrated Saa. S application User provisioning and de-provisioning Federated SSO from Access Panel Password SSO from Access Panel Box Available Citrix Go. To. Meeting Available Concur Available Not available Available Docu. Sign Available Not available Available Dropbox for Business Available Google Apps Available Jive Software Available Not available Available Salesforce. com Available Service. Now Available Not available Workday

DomainAccount. Name (AD DS, AD FS) User Principal Name (Account. Name@local or Account. Name@domain ) Pairwise Identifiers Other attributes Names must be globally unique in some apps, e. g. , Salesforce Some Saa. S apps will assume names are routable email addresses, and email the user (e. g. , Box, Drop. Box for Business, Citrix Go. To. Meeting) Saa. S apps generally require valid domains

AAD sends attributes if available – if too many errors, tenant sync to that app is quarantined Attributes required by a Saa. S but not part of the Azure AD schema have predetermined values UPNs must match naming attribute in Saa. S, otherwise user won’t be able to achieve federated SSO Azure AD issues SAML tokens for any users of consented or integrated applications Microsoft Accounts belonging to a single directory can use the access panel, however Microsoft Accounts and guests from other directories can’t be provisioned into third party Saa. S.

Requires Enterprise, Unlimited or Developer edition Salesforce This quota might be need to be increased for your tenant with a call to Salesforce support Azure AD will change the UPN upon deletion of the user is Azure AD, to avoid UPN conflicts

Salesforce Attribute Name Azure AD Default Value Mapped Attribute User. Name (joining property) User. Principal. Name last. Name . Surname first. Name Given. Name First 8 characters of field “User. Principal. Name” Alias Is. Active True If user is Soft Deleted Email “Mail”, otherwise “User. Principal. Name” Email. Encoding. Key ISO-8859 -1 Language. Locale. Key en_US Locale. Sid. Key en_US preferred. Language Profile. Id Profile. Name Chatter Free User Based on user’s assignment to Salesforce in Azure AD Time. Zone. Sid. Key America/Los_Angeles User. Permissions. Call. Center. Auto. Log. On false User. Permissions. Marketing. User False User. Permissions. Offline. User False

Box requires a confirming email for new users Users can exist in only one tenant Users’ addresses are validated by Box on rename

May need to contact Service. Now support to enable API access for user management and SAML SSO Identify account for Azure AD that can read user, department and location attributes, and write users Upgrade to SAML 2. 0 Update 1 Review http: //wiki. servicenow. com/index. php? title=SAML_2. 0_Troubleshooting

Tutorials http: //msdn. microsoft. com/en-us/library/azure/dn 308590. aspx (Covers integrations with Box, Citrix Go. To. Meeting, Concur, Docu. Sign, Drop. Box for Business, Google Apps, Jive, Salesforce, Service. Now, Workday) API docs http: //msdn. microsoft. com/library/azure/jj 673460. aspx Wiki IT Pro forum http: //aka. ms/aadsaas http: //aka. ms/aadforum

Session Title Timeslot DCIM-B 382 Cloud Identity and Access Management: Microsoft Azure Active Directory Premium Tuesday, May 13 10: 15 AM- 11: 30 AM FDN 02 Enabling Enterprise Mobility with Windows Intune, Microsoft Azure, and Windows Server Monday, May 12 11: 00 AM - 12: 00 PM PCIT-B 212 Design Considerations for BYOD Tuesday, May 13 10: 15 AM - 11: 30 AM PCIT-B 213 Access Control in BYOD and Directory Integration in a Hybrid Identity Infrastructure Wednesday, May 14 3: 15 PM - 4: 30 PM PCIT-B 310 Empowering Your Users and Protecting Your Corporate Data Monday, May 12 1: 15 PM - 2: 30 PM PCIT-B 313 Hybrid Identity: Extending Active Directory to the Cloud Monday, May 12 4: 45 PM - 6: 00 PM PCIT-B 314 Understanding Microsoft’s BYOD Strategy and an Introduction to New Capabilities in Windows Server 2012 R 2 Tuesday, May 13 8: 30 AM - 9: 45 AM PCIT-B 321 Deploying the New RMS for Cloud-Friendly and Cloud-Reluctant Customers Tuesday, May 13 5: 00 PM - 6: 15 PM PCIT-B 322 Deploying and Managing Work Folders Wednesday, May 14 10: 15 AM - 11: 30 AM PCIT-B 324 How to Rapidly Design and Deploy an Active Directory Federation Services Farm: The Do's and the Don'ts Wednesday, May 14 8: 30 AM - 9: 45 AM PCIT-B 327 Introducing Web Application Proxy in Windows Server 2012 R 2: Enable Work from Anywhere Wednesday, May 14 3: 15 PM - 4: 30 PM PCIT-B 328 Microsoft Identity Manager v. Next Overview Wednesday, May 14 5: 00 PM - 6: 15 PM PCIT-B 330 Active Directory + BYOD = Peace of Mind Thursday, May 15 8: 30 AM - 9: 45 AM

http: //channel 9. msdn. com/Events/Tech. Ed www. microsoft. com/learning http: //microsoft. com/technet http: //microsoft. com/msdn