Technology Leader's Guide to Azure Active Directory
Identity and Access Management as a Service boosts organizational effectiveness
There’s no question that cloud offerings present businesses with ample opportunity to lower their costs while increasing efficiency and agility. But these organizations will reap these benefits only if they can overcome some of the challenges cloud technology presents.
Chief among the challenges is maintaining proper security for cloud-based applications and data. An important consideration is having an effective IAM strategy that spans both on-premises and cloud-based resources.
Azure Active Directory Premium offers a solution enabling SMBs to easily extend the AD platform with which they are already familiar to also handle cloud solutions. Not using AD? Azure AD Premium also works with myriad other directory offerings.
With Azure AD Premium, businesses can reduce their risk while improving the productivity of their IT group and ensuring compliance with internal and external policies and regulations. Azure Active Directory extends your on-premises directories into the cloud, providing a truly global identity and access management solution that delivers effective, secure and modern IT services.
Managed Solution is in the top 1% of Microsoft Cloud Service Providers worldwide, and a premier partner aligned with Microsoft’s mission to empower every person and every organization on the planet to achieve more.
Intelligent Management: What’s Changing & How You Capitalize
When your job requires you to manage identity, devices, and protect information – you don’t have any “simple” tasks. Just staying up to date on the latest technology, ongoing trends, and emerging threats is a full-time job – to say nothing of having to implement all of this and keep up with the specific day-to-day demands of your organization.
We created the Enterprise Mobility Suite (EMS) to address the enormous challenges associated with identity management, device management, and information protection – and, in this post, I’m going to dive in on what the EMS can do for you in each of these areas.
Identity Management
Single sign-on to multiple apps is something that would be a welcomed time-saver for any worker, and the fact that it would eliminate the need to remember multiple passwords and logins – that’s even better. In the past, many of these problems have been solved via on-prem identity management like Active Directory (AD).
As the current workforce’s workstreams, responsibilities, and data consumption move to the cloud, the management of their identity has to go there, too. Asking an on-prem solution to manage the nearly infinite scale of cloud-based apps is to (at best) invite chaos. Creating a direct connection between your identity management solution and every SaaS app your workforce uses will instantly become too complex to ever successfully manage. Unsurprisingly, however, this is exactly the situation in which many organizations find themselves today:
Figure 4: Creating a direct connection between every organization’s identity management solution and every SaaS application would quickly become too complex to manage.
Rather than spend your days untangling your infrastructure from that sort of tangle, a much more productive approach is using the aforementioned cloud-based solution for identity management. There is only one cloud-based identity management solution that can interoperate with the one you’re already using on-prem: Azure Active Directory Premium (AADP).
With AADP, the AD you’ve been using (AD has a 90% share of the market, so I assume you’re using it!) is still an essential part of your operation, but now, by connecting it to AADP, you can manage all the connections your workforce makes to SaaS apps.
Rather than that train wreck shown above in Figure 4, see how much simpler AADP makes things in Figure 5:
Figure 5: Cloud-based identity management with Azure Active Directory greatly simplifies managing single sign-on to SaaS applications.
AADP intelligently addresses a lot of otherwise intractable problems: SSO is made simple, you retain control of identities via the AD console you already know, and by leveraging the power of a cloud-based control plane you can control access to local and SaaS apps with a single login. Life immediately becomes easier for both the users and the admins.
Azure AD currently provides SSO to more than 2,000 cloud apps, including Office 365, Salesforce.com, Dropbox, Workday, and ServiceNow. To see what it can do in action, I really recommend checking out my recap of the Cloud App Discovery demo I did at Ignite.
It’s not all about SSO, however; this service offers a ton of other features, such as:
•Support for multi-factor authentication (MFA).
This is based on the same technology we built to detect suspicious logins in Outlook.com. In the event our machine learning detects anything suspicious, the person requesting access will automatically get a challenge to provide their password + an additional piece of information (e.g. a code that is sent to their mobile phone). This makes you more secure.
•The Cloud App Discovery tool.
As noted above, this is how you learn which SaaS applications your employees are actually using. For just about every organization, this tool represents the first time they see all the SaaS in use inside of their company. This makes you more educated.
•Detailed reporting that tracks users and issues warnings about suspect behavior.
For example, Azure AD is alerted to logins from possibly compromised corporate identities. When I show this to people they are blown away by how we can identify compromised identities and stop attacks. This makes you more secure.
•Integration with the most popular SaaS applications.
The list includes Salesforce, Workday, and others that go far beyond SSO. For example, you can automatically add a user to these applications when a new user is added to Azure AD. This makes you more efficient.
Device Management
The need to manage devices of every shape/size/platform has long-since been the new normal for IT. Managing the devices themselves (aka Mobile Device Management or MDM) is a must-have first step, but, in order to be proactive/scalable/secure, managing the apps on those devices (aka Mobile Application Management or MAM) is critical.
Mobile devices are much more likely to have the majority of the content they consume come from the cloud and other SaaS apps, so, just like with identity management, the management of these devices also needs to be cloud-based. Running MDM on-prem will require you to route your communications between devices and apps through your on-prem setup:
Figure 6: Traditional solutions for MDM and MAM often require communication between mobile devices and cloud applications to go through an on-premises bottleneck.
There are a lot of legit concerns with this setup, notably: There is a really low ceiling on its performance and scalability. There’s also the fact that when one of your users purchases a new mobile device and is setting it up at home, the communication to the cloud app goes directly to the app and never comes back through your organization. Big problems all around.
Using an on-prem solution for MDM means you have to wrestle with the fact that you’re limiting the speed of interaction between devices and cloud apps, and you’re requiring your own IT organization to worry about scaling in order to do this. Save yourself the years this will take off your life by doing both your MDM and MAM from the cloud. Do it the modern way:
Figure 7: By providing MDM and MAM as a cloud service, Microsoft Intune provides a simpler, more sensible approach for the modern world.
This is the exact approach we have developed with Microsoft Intune. With Intune, devices can use both on-prem and SaaS apps via a common, cloud-based control plane. As noted in Figure 7, what was once a huge bottleneck with on-prem is now a scalable, cloud-based service. Intune can manage all the cloud-based traffic, and your infrastructure can manage on-prem traffic the same as before (in most cases with SCCM).
The benefits of using a cloud-based solution for MDM and MAM are vast.
Consider, for example, the challenge of keeping up with constant stream of OS and app updates – iOS, Android, and now Windows 10 will be updated frequently (and, oftentimes, in ways that affect how those devices are managed). The volume of new material is immense. These updates require subsequent updates to the MDM software so that 1) those devices can continue to operate as expected, and 2) so that the users can take advantage of those new updates.
Here’s what this process looks like using an on-prem setup:
1.The MDM/MAM vendor will need to ship out the new patches to each customer (which takes time).
2.Then you have to install these patches (which takes time).
3.Next, your team will have to test these patches (even more time).
4.Now, multiply this by all the different types of devices and each platform (an insane amount of time).
Considering how often these updates roll out, the odds of you ever being 100% current are very small.
A problem like this seems almost too big to solve – but, with cloud-based MDM/MAM, every time a new version of (for example) iOS is available, we update Intune simultaneously and every one of your devices remains up to date. Automatically. You never see or feel it happen. It just works.
A quick overview of the additional benefits of Intune include:
•The unique ability to effectively manage Office mobile applications on your users’ iOS, Android, and Windows devices. (We’ll look more closely at what this means later.)
•The ability to effectively manage your internal applications – and have them fully participate with the Office mobile apps.
•The ability to effectively manage the key apps from partners like Box, SAP, Adobe and Citrix.
•The ability to remotely delete all corporate information from a user’s device while leaving his personal data intact. You might do this when an employee leaves your organization, or when his device falls out of compliance.
•A unified endpoint management solution that lets you manage your organization’s mobile devices and desktop PC’s from the same administrative environment. This relies on the tight integration Microsoft has built between Intune and System Center Configuration Manager.
Information Protection
Any IT organization is going to sleep a lot easier if they can consistently answer questions like: Who is allowed to access a particular document? and What kind of access is permitted (reading, writing, etc.)?
Being able to get this granular with data protection is worth its weight in gold – if you can do it. Even in the on-prem era, before documents were flying between devices and living in the cloud, this type of control was more aspirational than reality, but now, with a need for it greater than ever, a solution is finally intact.
For the last several years, we have offered something called Active Directory Rights Management Service, but it came with its own limitations:
Figure 8: Relying on an on-premises technology for information protection requires manually configuring point-to-point connections for identity management between individual organizations.
In Figure 8 we see two organizations that want to share a protected doc, and they want only certain people within each org to see it. To do this, each attempt to access the doc has to be verified by a data protection service. An on-prem solution can meet this need if you go to the trouble of setting up a point-to-point federation between the identity management solution each org is using. That’s a lot of trouble for a handful of people to view 1 document. So much trouble, in fact, that it was very rarely done – and this left the boundaries around sensitive docs very porous.
A cloud-based data protection setup, however, looks a lot simpler:
Figure 9: Using a shared cloud solution for identity management and information protection greatly simplifies controlling access to documents.
What you see in Figure 9 is a way for the two orgs to work securely without the giant time commitment of setting up direct connections to each other. Instead, they both securely connect to a cloud service – in this case, Azure AD and Azure Rights Management Service (RMS). With this cloud-based model in place, you can work securely with limitless numbers of organizations and this model moves with you. Working securely means operating simply.
For reference, Azure RMS also delivers:
•Support for policy templates, which allow defining policies for sharing protected documents. For example, an organization might define a template that restricts access to a particular document to people only in the R&D organization.
•Document tracking that monitors successful and unsuccessful access attempts by recipients of a protected document. It also provides the ability to revoke access to a document.
•The option to encrypt documents using your own key rather than one provided by Azure RMS.
•Cloud identity + AADP – we can help protect your cloud identities and your on-prem identities.
Industry Leading System Center Engineering Talent
Do you have the tools in place to empower the "always on" worker, the co-mingling of company and personal business, compliancy, access and data loss? It's time to think about your overall Identity & Access Management Strategy and we can help. Get started with System Center.
[/vc_column_text][/vc_column][vc_column width="1/2"][vc_column_text css_animation="appear"]
Unify your IT management infrastructure & simplify client health with 0 touch deployments.
Streamline operations with a unified infrastructure that integrates device management and protection across mobile, physical, and virtual environments. With System Center Configuration Manager and our patented SHARC tool automating your client's computers health has never been easier.
You can discover, diagnose and clean all your client devices with just a mouse click, even the ones you didn't know were on your network... Without human intervention.
The future of client health automation is here. Managed Solution provides businesses with complete, end-to-end solutions for their technology needs.
[/vc_column_text][/vc_column][/vc_row]
Integrating your on-premises identities with Azure Active Directory By Billmath
Today, users want to be able to access applications both on-premises and in the cloud. They want to be able to do this from any device, be it a laptop, smart phone, or tablet. In order for this to occur, you and your organization need to be able to provide a way for users to access these apps, however moving entirely to the cloud is not always an option.
With the introduction of Azure Active Directory Connect, providing access to these apps and moving to the cloud has never been easier. Azure AD Connect provides the following benefits:
-
Your users can sign on with a common identity both in the cloud and on-premises. They don't need to remember multiple passwords or accounts and administrators don't have to worry about the additional overhead multiple accounts can bring.
-
A single tool and guided experience for connecting your on-premises directories with Azure Active Directory. Once installed the wizard deploys and configures all components required to get your directory integration up and running including sync services, password sync or AD FS, and prerequisites such as the Azure AD PowerShell module.
Why use Azure AD Connect
Integrating your on-premises directories with Azure AD makes your users more productive by providing a common identity for accessing both cloud and on-premises resources. With this integration users and organizations can take advantage of the following:
-
-
Organizations can provide users with a common hybrid identity across on-premises or cloud-based services leveraging Windows Server Active Directory and then connecting to Azure Active Directory.
-
Administrators can provide conditional access based on application resource, device and user identity, network location and multi-factor authentication.
-
Users can leverage their common identity through accounts in Azure AD to Office 365, Intune, SaaS apps and third-party applications.
-
Developers can build applications that leverage the common identity model, integrating applications into Active Directory on-premises or Azure for cloud-based applications.
Azure AD Connect makes this integration easy and simplifies the management of your on-premises and cloud identity infrastructure.
