Le « provisioning », la gestion des identités, l'authentification, les autorisations et la gestion des rôles sont des services essentiels pour l’entreprise à la fois en local et à travers le Cloud (hybride). Avec la souscription croissante d’abonnements à des applications SaaS (Software-as-a-Service) au sein des différentes entités de l’entreprise, l’utilisation du Cloud (hybride) pour des applications cœur de métier, le désir de mieux collaborer en interne « à la » Facebook et/ou d’interagir directement avec les réseaux sociaux, l'identité devient un véritable service où des « ponts » c'identité dans le Cloud « parlent » avec les annuaires à demeure et/ou des applications SaaS, où les annuaires eux-mêmes sont déplacés/situés dans le Cloud pour répondre aux besoins applicatifs Cloud ou mobiles, avec à la clé de nouveaux protocoles modernes fondés sur HTTP. En disponibilité générale depuis le mois d’avril 2013, utilisé aujourd’hui par les services Microsoft Online Service comme Office 365, Dynamics CRM Online, Windows Intune, ou encore le portail de gestion Windows Azure, Windows Azure Active Directory (AAD) est un service Cloud moderne de type « Identity-Management-as-a-Service » (IdMaaS) multi-locataires qui permet d’assurer la gestion des identités, l’authentification (unique) (multi-facteurs), et le contrôle des accès pour toutes vos applications Cloud et abonnements SaaS (avec nombres d’applications de ce type pré-intégrées) et ce, depuis n'importe quel Cloud ou hébergeur, n’importe quelle plateforme, n'importe quel appareil, etc. Profitez de cette session pour aborder AAD, découvrir ses capacités et ses scénarios clé d’utilisation, ses interfaces et comprendre comment votre ou vos locataires AAD peuvent fonctionner de concert avec vos référentiels d’identité à demeure dans votre entreprise (ou non en fonction de vos objectifs et des populations ciblées). Cette session illustrera les scénarios clé et examinera dans ce contexte les options possibles pour effectuer le « provisioning » et la synchronisation des informations d'identité de Windows Server Active Directory (AD) (ou d'autres sources d’annuaire) vers AAD, l’authentification unique Web, l’authentification multi-facteurs, la prise en charge de vos abonnements SaaS, l’intégration de vos applications Cloud et mobiles et/ou de vos APIs Web API, et plus encore avec la nouvelle offre Windows Azure Active Directory Premium récemment annoncée.
Speakers : Philippe Beraud (Microsoft), Arnaud Jumelet (Microsoft France)
Gérer vos identités et vos accès pour le Cloud avec Windows Azure Active Directory (Premium)
1.
2. Gérer vos identités et vos accès
pour le Cloud avec Windows
Azure Active Directory
(Premium)
Philippe Beraud
Arnaud Jumelet
Direction Technique
Microsoft France
philippe.beraud@microsoft.com, @philberd
arnaud.jumelet@microsoft.com @arnaud_jumelet
Sécurité
3. Donnez votre avis !
Depuis votre smartphone sur :
http://notes.mstechdays.fr
De nombreux lots à gagner toute les heures !!!
Claviers, souris et jeux Microsoft…
Merci de nous aider à améliorer les TechDays !
#mstechdays
Sécurité
6. Qu’est-ce que Windows Azure Active Directory ?
Une solution Cloud complète de gestion des
identités et des habilitations
Combine les services d'annuaire, la
gouvernance avancée des identités, la
gestion des accès aux applications ainsi
qu'une plate-forme de gestion d'identité
pour un développeur
Offre un large éventail de fonctionnalités
gratuites ainsi qu'une offre avancée payante
:
Windows Azure Active Directory
7. De nombreuses
applications, un
référentiel d'identité.
Gérer les identités et
les accès aux
applications Cloud.
Surveiller et protéger
l'accès aux
applications
d'entreprise.
Accès personnalisé
et fonctionnalités
libre-service.
8. De nombreuses
applications, un
référentiel d'identité.
Gérer les identités et
les accès aux
applications Cloud.
Surveiller et protéger
l'accès aux
applications
d'entreprise.
Accès personnalisé
et fonctionnalités
libre-service.
9. Connecter et synchroniser
Windows Server Active Directory
avec Windows Azure.
Galerie d'applications SaaS déjà
pré-intégrées.
Ajouter facilement des apps
Cloud personnalisées. La
gestion des identités est facilitée
pour les développeurs.
10.
11.
12. Gérer les identités et les accès aux
applications Cloud.
Console de gestion unifiée sur
les identités et les accès.
Administration centralisée des
accès pour les applications SaaS
pré-intégrées et les autres apps
de type Cloud.
Sécuriser les processus Métier
avec les capacités avancées de
gestion des habilitations.
Administrateur
13. VUE D’ENSEMBLE WINDOWS
AZURE ACTIVE DIRECTORY
Gérer les identités et les accès aux applications
Cloud
#mstechdays
Sécurité
Design/UX/UI
15. VUE D’ENSEMBLE WINDOWS
AZURE ACTIVE DIRECTORY
Surveiller et protéger l'accès aux applications
d'entreprise
#mstechdays
Sécurité
Design/UX/UI
16. Accès personnalisé et
fonctionnalités libre-service.
Toutes les apps SaaS
assignées sur une seule
page Web pour le Single
Sign On :
Le panneau d'accès
Personnalisation du panneau
d’accès
Réinitialisation du mot de
passe pour les utilisateurs
Cloud en mode libre-service
17. VUE D’ENSEMBLE WINDOWS
AZURE ACTIVE DIRECTORY
Accès personnalisé et fonctionnalités libre-service
#mstechdays
Sécurité
Design/UX/UI
18. Offre Windows Azure Active Directory gratuite.
• Annuaire en tant que service dans Windows
• Fournir aux nouvelles Apps la gestion des
Azure
identités et des accès (ACS, Graph API, SDK)
• Créer plusieurs annuaires
• Apps SaaS populaires pré-intégrées pour le
SSO
• Étendre Windows Server AD à Windows Azure
• Gérer les comptes utilisateurs
• Ajouter des applications basées sur le cloud
pour le SSO
• Gestion des groupes (préversion)
• Ajouter des apps SaaS à partir de la galerie
d'applications pour le SSO
• Assigner à un utilisateur l'accès à une app
• Peupler les utilisateurs vers les apps SaaS de
la galerie
• Sécurité intégrée
• Outils sécurisés pour la synchronisation
(DirSync)
• Bloquer l'accès de l'utilisateur
• Rapports de sécurité
• Authentification multi-facteurs (payant)*
• Écran unique avec les apps SaaS assignées
pour chaque utilisateur: Le panneau d'accès
• Expérience d'authentification unique pour les
apps SaaS à partir du panneau d'accès
• Changement de mot de passe pour les
utilisateurs Cloud
19.
20. Windows Azure Active Directory Premium
1ère vague de fonctionnalités de la preview
• Annuaire en tant que service dans Windows Azure
• Créer plusieurs annuaires
• Étendre Windows Server AD à
Windows Azure
• Apps SaaS populaires pré-intégrées pour le SSO
• Engagement sur le niveau de service (SLA*)
• Pas de limitation de nombre d'objets **
• Gérer les comptes utilisateurs
• Ajouter des applications basées sur le cloud pour le
SSO
• Ajouter des apps SaaS à partir de la galerie
d'applications pour le SSO
• Gestion des groupes (préversion)
• Sécurité intégrée
• Outils sécurisés pour la synchronisation (DirSync)
• Bloquer l'accès de l'utilisateur
• Assigner à un utilisateur l'accès à une app
• Peupler les utilisateurs vers les apps SaaS de la
galerie
• Utiliser les groupes pour contrôler l'accès aux
applications SaaS
• Provisionnement basé sur le groupe
• Rapports de sécurité
• Rapports de sécurité basés sur une technologie
de type machine learning
• Authentification multi-facteurs *
• Écran unique avec les apps SaaS assignées pour
chaque utilisateur: Le panneau d'accès
• Expérience d'authentification unique pour les apps
SaaS à partir du panneau d'accès
• Changer le mot de passe des utilisateurs Cloud
• Changement de mot de passe pour les
utilisateurs Cloud en mode libre-service
• Panneau d’accès personnalisé
22. Livres blancs et guides Etape-par-Etape
Active Directory from the onpremises to the Cloud –
Windows Azure AD whitepapers
Office 365 Single Sign-On with
AD FS 2.0
Office 365 Single Sign-On with
Shibboleth 2.0
24. Pour aller au-delà
activedirectory.windowsazure.com/develop
Documentation Microsoft TechNet
http://go.microsoft.com/fwlink/p/?linkid=290967
Documentation Microsoft MSDN
http://go.microsoft.com/fwlink/p/?linkid=290966
Blog d’équipe Microsoft Active Directory
http://blogs.msdn.com/b/active_directory_team_blog
Blog d’équipe Windows Azure Active Directory Graph
http://blogs.msdn.com/aadgraphteam
25. Testez dès maintenant Windows Azure
!
Partenaires :
MSDN :
http://aka.ms/MSDN/Avantages/A
bo
150€ de
ressources
http://aka.ms/Azure/Partn
er
Poursuivez la
discussion
"
http://aka.ms/free/tri
al
One of the results of the new cloud era is the externalization and consumerization of IT. With an increasingly multi-sourced hybrid cloud environment, identity must seamlessly work across the possible combinations for a specific workload with a mix of infrastructure, platforms, services and providers/operators, outside any perimeter, beyond direct organizational control.Users need to access all their services, data and resources from many different locations (at work, at home, or mobile) from any device (laptops, tablets, smartphones, etc.) regardless of the fact they’re managed/unmanaged, corporate/personally owned.That causes a number of new challenges that we need to address.
So let’s focus on cloud identity management.We are trying to address 3 main issues:Help IT departments get control of who is access what on the public cloud and provide SSO in a secure and efficient manner. Various departments in enterprises are enthusiastically adopting many different SaaS application, and “Shadow IT” makes its appearance.One way of resolving this problem is adding more federated connections with SaaS application, but that’s a very difficult way to resolve Single Sign On.Password proliferation. I am accessing more than 5 cloud services for personal use at least once per week, how many are you using? How many times do you login each week? For each access and each application we must enter in our user name and password, it can become tedious to say the least. The most useful link on those services is the "I forgot my password" one and, to be honest, “I forgot my username" is becoming common too. Imagine the scale of this issue in enterprises. [Click] An average user already deals with a bunch of usernames and passwords for his on-premises applications, and [Click] cloud based applications are piling up with an increasing pace. There are already enterprises that have many cloud based applications in their environment. (There are more than 20.000 SaaS apps in the market already according to IDC) Huge amounts of money have been invested in on premises identity and access management solution without actually having the problem of Single Sign On solved. Help centers and IT departments all over the world can confirm that.[Click] If you add personal cloud applications' identities into the mix [Click] along with the desire to access applications from different devices, you get many frustrated users who voice their unhappiness and place pressure on IT for simpler solutions. The challenge for IT in today’s world of many devices, on premises apps, cloud apps, and hybrid apps is that they are not always aware of all the cloud-based applications their users are accessing. IT has not purchased or deployed these apps and in most cases they have no visibility into how they were purchased or if they are being managed. With the dramatic increase in cloud applications and the ease of sign up and free trials, Management and users are asking from IT departments to provide single sign on from everywhere to everything… A solution to this problem could be a federation with each and every one of those cloud-based applications. But not all of them are using the same protocols or standards when it comes to identity management, which can make federation a very difficult task.Instead, [Click] organizations need a hub that can sync their on-premises Active Directory, [Click] seamlessly connect with many cloud applications, [Click] can integrate with various protocols and can scale around the globe to authenticate users everywhere [Click] from any device in a way that integrates simply with their existing identities. With more than 95% of fortune 1000 organizations using Windows Server Active Directory on premises, they would prefer not to reinvent the wheel or recreate all of their identities. The good news is that they don’t have to. That’s exactly what Windows Azure Active Directory provides. And it does that in a secure and comprehensive manner.
Office 365 is the most visible example of a cloud app based on WAAD for directory servicesAs of October, we have processed over 430 Billion user authentications in Azure AD, up 43% from June. We have more than 12 Billion authentications/week. This is a real testament to the level of scale we can handle! You might also be interested to learn that more than 1.4 million business, schools, government agencies and non-profits are now using Azure AD in conjunction with their Microsoft cloud service subscriptions, an increase of 100% since July.And maybe even more amazing is that we now have over 240 million user accounts in Azure AD from companies and organizations in 127 countries around the world. It is a good thing we're up to 14 different data centers – it looks like we're going to need it.
We are going to present in detail the value of Windows Azure Active Directory though these scenarios that describe customer needs from the IT and end user perspective.Every one of those scenarios are actually areas of needs that enterprises of all sizes have when it comes to manage identities in the public cloud.In every scenario some features are free and others are part of the Premium offering. We will highlight the paid features in every slide and also we will provide a overview at the end of the presentation
The first step to happy and productive user is a single set of credentials that can be used between an existing on-premises directory and Windows Azure Active Directory (WAAD). Windows Server Active Directory can be easily connected to Windows Azure with Active Directory Federation Services (ADFS). Using dirsync, a downloadable component from Windows Azure to run on a domain-joined Windows Server, you can quickly populate your existing users and groups into your Windows Azure AD tenant and keep it updated. An alternative approach for smaller enterprises is password hash sync(http://blogs.msdn.com/b/active_directory_team_blog/archive/2013/06/13/10423168.aspx) you don’t have all the capabilities of actual federation but is easier to setup. From this point on, every application that is or will be connected to WAAD can be accessed with a single set of credentials, the one that a user already uses now to login to his on premises active directory.[Click]To make single sign on configuration even easier, we have chosen the most popular cloud applications, regardless of the public cloud they are hosted on, and we have preconfigured all the parameters needed to federate with them. We have created an application gallery with all of them for an administrator to be able to choose those that your enterprise is using to configure Single Sign on to them.In the application gallery you can find Microsoft and 3rd Party SaaS apps. Some examples are: Office 365, Windows Intune, Salesforce, Box, Google Apps mail, Concur. More applications will follow in the next weeks. [Click]If your enterprise uses cloud-based, SaaS or custom LoB, applications that are not pre-integrated into Windows Azure Active Directory, you can follow simple steps to add them and enable single sign on to them too. Windows Azure Active Directory also provides developers a way to integrate identity management in their new apps. A developer can build an application on any platform (.Net, Node, Java) and host it in any cloud, (we strongly recommend to use our rich platform and host it on Azure) and to leave the identity management to Azure AD. Access Control Service provides the authentication for identities hosted in Windows Azure Active Directory or even social logins like Microsoft accounts (live id), Facebook, Yahoo, Google. Graph API provides the ability for developers query the directory and return to get a view of an enterprise directory and the relationships between its objects, and use them in the application. For example, if an application has a workflow that must include the manager or the team of the user, the developer can retrieve their identities through Graph API .More info on what we offer to developers for application integration: http://msdn.microsoft.com/en-us/library/windowsazure/dn151121.aspx In this point we must highlight that Windows Azure Active Directory can also provide identity management for cloud only solutions. If there is a need for a custom branded cloud directory to host identities and provide authentication to cloud based apps that are built on azure on any other public cloud, Windows Azure Active Directory can address your needs. Create a Windows Azure Active Directory tenant, give it a name that you want, add users and assign to them access to cloud based apps with a new set of credentials. That could be a solution for customer-partner-vendor related projects or for new companies that are focused on cloud. Pre-integrated or easily added SaaS apps, custom LoB cloud-based apps, newly developed apps, hosted on Azure or any other cloud can be connected with Windows Azure Active Directory and make it the home of all the CLOUD-BASED applications you need.All capabilities described in this slide are included in the free offering
548 SaaS apps are already in the application gallery and counting …For a the most updated content of the application gallery see here http://www.windowsazure.com/en-us/gallery/active-directory
There are two methods with which we can accomplish synchronization between Windows Server Active Directory and Windows Azure Active Directory.The first method is the fastest one when it comes to deployment.[You can avoid this slide for less technical audiences]
Now that we have gathered identities and applications into one identity store, the next step is to find an efficient way to handle them and their interconnections. And there is one. The Windows Azure Management portal contains a section specifically for Windows Azure Active Directory administration.You can create new users and delete them, You can also create groups or sync groups from on premises AD,manage user access to the service [and by using groups which is a feature of Windows Azure AD Premium].Additionally, you can view business related attributes for every user, configure directory synchronization parameters, add domains and, most important, assign access to the applications that you have already added and connect in Windows Azure Active Directory. [Click]Those apps can be of any kind. Custom LoB cloud-hosted apps or purchased from a vendor, these apps can be added from the portal and enabled for single sign on. Single Sign On can be a challenging task for some applications. Windows Azure Active Directory can make the life of an administrator easier by providing a number of popular preintegrated SaaS applications. In the previous slide we mentioned that we have chosen the most popular cloud applications, regardless of the public cloud they are hosted on, and we have preconfigured all the parameters needed to federate with them. Your cloud apps are ready when you are. Administrators simply open the Azure Management Console, navigate to Windows Azure AD, click on Applications link, choose to add a new application and pick from the application gallery the SaaS app their enterprise is using and configure the level of interaction with it. This level of interaction can be different mainly because SaaS apps are using different authentication and identity management methods. With some SaaS applications, Federation SSO can be configured while with others only password SSO is possible[ password vaulting]. However, the greatest level of interaction can be achieved with the most popular SaaS apps like Box, Salesforce, Concur and of course Office 365. With those apps, single sign on through federation or password sync is one thing but, [Click] you can also create (provision) users and groups to them directly from identities already in Windows Azure Active Directory. And the deletion of users and groups is possible too with the same simple steps. In addition, if an application has different access levels, predefined roles can be assigned to users.When a user is hired it often takes many steps to administrators to assign access to the right applications and even more steps are needed when a user is decommissioned, to revoke all his rights. This can been more difficult for cloud based applications and users accessing them from everywhere with many different sets of credentials. User and Group provisioning and deprovisioning to SaaS apps that Windows Azure Active Directory is offering can secure business processes by making sure that a user can access only those applications that he needs to do his job and nothing more with a few simple steps. When a new identity is created, after the synchronization with the on-premises AD, the administrator can provide access, single sign on and provision the new user to a preintegrated SaaS app in a single procedure. And when a user or a whole group is decommissioned, the removal of his identity from Windows Azure AD will cause inability to access enterprise cloud apps from everywhere. The rest of the SaaS apps that are not having this high level of integration, and can be found in the application gallery can be configured for single sign on once their internal user identities are manually created using the appropriate tools provided by the application ownerAs you have probably noticed, Windows Azure Active Directory is offering capabilities that does not match exactly with those of the on-premises Active Directory. But we shouldn’t expect those two versions of active directory to be exactly the same since they have to face different challenges in different environments. Group-based access assignment and provisioning is a feature of Windows Azure Active Directory Premium
These new capabilities deliver great value in their functionality but it’s also important to consider the approach behind securing the AAD. Windows Azure Active Directory is based on the Trustworthy Computing principals and is secure by design. We do not store any user passwords from the synchronized on-premises identities, only encrypted password hashes.For identity synchronization dirsync is used, a well-tested and secure component that has been used for on premises synchronizations for many years.[Click]To provide further insight, all access attempts are monitored and can be displayed via a basic set of reports. Those reports can track inconsistent access patterns. Administrators can view users who signed in from unknown sources,those who attempted to login after multiple failures or tried to sign in from multiple geographies in short timeframes (the impossible travel report).Additionally, with the Premium offering two more advanced reports are availableSuspicious IPs addresses logins Suspicious devices loginsThese last two premium reports are machine learning based. So actually the behavior of users is monitored and everything suspicious (access from a random pc or unknown IP) is reported. Through those free and premium reports, administrators can gain new insights to improve access security and respond to potential threats. [Click]Such a response can be the activation of additional authentication functionality like multi factor authentication. Using the Windows Azure Portal, administrators can choose a user and enable two factor authentication for him (Multi-Factor Authentication or MFA). Once enabled the user with be prompted for the second factor the next time he logins. MFA offers the multi-factor security you demand using the phones your users already carry. Multiple phone-based authentication methods are available, allowing users to choose the one that works best for them. And, support for multiple methods ensures additional authentication is always available.Multi-Factor Authentication apps are available for Windows Phone, iOS phones and tablets, and Android devices. Users download the free app from the device store and activate it using a code provided during set up. When the user signs in, a notification is pushed to the app on their mobile device. The user taps to approve or deny the authentication request. Cell or Wi-Fi access is required. For offline authentication, the app can generate a one-time passcode that is entered during sign in. The one-time-passcode method is comparable to software or soft tokens solutions offered by multi-factor authentication vendors like RSA.Automated phone calls are placed by the MFA service to any phone, landline or mobile. The user simply answers the call and presses # on the phone keypad to complete their sign in.Text messages are sent by the MFAservice to any mobile phone. The text message contains a one-time passcode. The user is prompted to either reply to the text message with the passcode or enter the passcode into the sign in screen. Once acknowledged the user will be authenticated. Multi Factor Authentication is a paid feature. Its going to be a part of the Premium offering when it goes in General AvaialbilityAdvanced machine based learning security reports are part of Windows Azure Active Directory premium
From the beginning of this presentation one key principle we highlighted is to simplify how users access applications across many disparate systems, ultimately making them happier and more productive. This might happen if they could access all their apps from many devices and geographies with a single set of credentials. Windows Azure Active Directory is focused on this key capability. When administrators assign access to preintegrated SaaS applications from Windows Azure Portal, as we described earlier, shortcuts of these apps are displayed, for every user, via a single personalized web paged, that is hosted on Windows Azure. This web page is called Access Panel from which every user has a personalized view of their apps.[Click]From the Access Panel of every user all displayed SaaS apps can be launched using a single set of credentials.Being a web page, hosted on Windows Azure, Access Panel is accessible from any device and any place providing the end user the flexibility he needs. Some restrictionsexist while in preview for those SaaS apps that are using Password SSO instead of federation SSO. Those SaaS apps can be launched only from desktop browsers.IE and Chrome are supported for now, more desktop browsers will be supported in the future.[Click]Access Panel can be customized and host the logos and the color schemes that the IT administrator wants. This can be done from the “configure” tab of Windows Azure Management Portal (WAAD management page) and it’s a feature of the premium offering[Click]Another new feature that is a part of the premium offering is Self-Service Password Reset (SSPR-U). With this feature a user can reset the password for his cloud based SaaS application. He can do that from the logon page of Access Panel or Windows Azure Management Portal. Administrators must configure this features initially and provide how many factors the user should use to prove his identity. Right now only two methods are available :A phone call to a mobile line or/and a phone call to an office line. Both methods can be use simultaneously. The end user must first prove that he is not a machine by filling a text displayed in his screen and then he must answer a phonecall and press # key.Access Panel customization and SSPR-U is a part of Windows Azure Active Directory Premium.
These features are included in the free offering of Windows Azure Active Directory*with the exception of Windows Azure MFA which is a paid feature
The highlighted features are included in the Windows Azure Active Directory Premium offeringWindows Azure Active Directory Premium, built on top of the free offering of Windows Azure AD, provides a robust set of capabilities to empower enterprises with more demanding needs on identity and access management. Windows Azure AD Premium, during its first milestone, offers group-based provisioning and access management to SaaS applications, customized logon environment and detailed machine learning-based security reports. For the end-user Windows Azure AD Premium will provide self-service password reset for cloud applications and customization capabilities for the Access Panel.This is not the final list of the premium features. Windows Azure Active Directory Premium will continue to grow and embrace new identity and access management requirements of the cloud era.*SLA and MFA will be a part of the paid offering when it hits GA.**The free offering has the limitation of 500,000 objects per directory. This limitations is raised in the premium offering
Windows Azure Active Directory is a comprehensive identity and access management cloud solution. It combines core directory services, advanced identity governance, security and application access management. Windows Azure Active Directory also offers to developers an identity management platform to deliver access control to their applications, based on centralized policy and rules. For enterprises with more demanding needs an advanced offering, Windows Azure Active Directory Premium, currently in preview, helps complete the set of capabilities that this identity and access management solution delivers.
The above papers are available on the Microsoft Download Center:Active Directory from the on-premises to the Cloud – Windows Azure AD whitepapers: http://www.microsoft.com/en-us/download/details.aspx?id=36391
See Windows Azure Active Directory: Ready for Production with over 265 Billion Authentications & 2.9 Million Organizations Served!: http://blogs.msdn.com/b/windowsazure/archive/2013/04/08/windows-azure-active-directory-ready-for-production-with-over-265-billion-authentications-amp-2-5-million-organizations-served.aspx