March 16, 2015

Identity and Access Management using Windows Server Active Directory Service

MJ Ferdous

Account Technology Strategist Microsoft Bangladesh

Phone: +8801715015093

Email: a-mjferd@microsoft.com

Ziaul Hoque Mallick

Corporate Accounts LeadMicrosoft Bangladesh

Phone: +8801755501612

Email: zimallic@microsoft.com

2 Proposal for Active Directory

Identity and Access Management on Windows Server Active DirectoryActive Directory is Microsoft's directory service that allows administrators to assign policies, deploy software, and apply updates for an entire organization. AD also allows users to store all information in a central location, where it is backed up.

First enterprise-class directory service Active Directory is the first enterprise-class directory service that is scalable, built from the ground up using Internet-standard technologies, and fully integrated with the operating system.

Benefits of using Active Directory:

• It makes the task of network administration simpler by maintaining a central repository of information.

• It provides a single destination to look out for information.

• Highly secured access to data through the usage of security policies. Thereby it improves the management of data.

• Easily scalable. Supports millions of objects in a single domain.

• Unified access to resources by supporting a uniform naming convention.

• Lookup of names, addresses, phone numbers and other “white pages” information is standardized

• Lookup of network resources like printers, servers, certificates and other “ yellow pages” information is standardized

• Centralizing the management of the system will increase reliability and make it easier to keep it up to date

Benefits of AD with Integrated Service or Software:

• Single Sign On with all AD integrated application

• User Profile automatically sync with exchange, Lync & SharePoint

• Update user Information from SharePoint such as Profile Picture

• Automatically sync or update in all application when any user information update in AD

• User can view their profile information from Lync or SharePoint

• User can easily find their colleague easily from Lync, Exchange SharePoint

• User can connect to call, voice or chat directly from outlook contact or Lync

• Find contact list easily from outlook, Lync or SharePoint

3 Proposal for Active Directory

Active Directory Domain Controller ArchitectureEvery Domain may have group policies or individual/separate group policies as per user group requirement.

Domain Controller (DC) Logical Components

The logical components of Domain Controller do not directly relate to any type of physical topology such as the layout of the network, but instead are used to organize objects within the directory according to the administrative and security requirements.

These logical DC components include:

• Forests,

• Domains

• Organizational Units (OUs).

Additionally, as mentioned the two other major constructs are

• Identity Provisioning

• Identity Federation

In order to provide the underlying infrastructure for the implementation for an authentication and management Directory Service, the future state need to consider several key components.

These components include the following

Unified Domain Controller Environment –This directory service will then be used to facilitate authentication, authorization and directory capabilities for common corporate applications, services, and centralized management of identities.

Delegated Data Management – For business groups to manage their users, groups, workstations, printers, and servers in the most efficient management for their group and that can be different for each domain users and their groups or operational units.

Organizational Integrity - Logical directory structure must support the application and maintenance of permissions and policy.

Replication Integrity - All Domain Controllers must be dependably synchronizing with the same objects and attributes

Standardized Format/Attributes - Predictable data and attributes for each directory object

Single Identity - Single identity object for each user in Domain Controller

4 Proposal for Active Directory

Identity and Access Management on Premise and in the CloudFrom personal devices to various identity providers, granting user access to cloud applications is becoming more complex and costly for organizations to manage. With Microsoft’s Windows Azure Active Directory, Allegion gets enterprise-level identity services that help streamline directory and access management in the cloud, provides a seamless sign-in, self-service password reset experience to cloud resources and enhances security with Multi-Factor Authentication.

Simplify access, centralize controlWindows Azure Active Directory is a comprehensive identity and access management cloud solution. It combines core directory services, advanced identity governance, security and application access management. Windows Azure Active Directory also offers to developers an identity management platform based on centralized policy and rules.

Use Windows Azure Active Directory to:

Effectively manage users and access to cloud resources. Manage user account and attributes through the Windows Azure management portal. Centrally manage users’ access to Windows Azure and other Microsoft online services like Microsoft Office 365 and a world of non-Microsoft SaaS applications.

Extend your on-premises Active Directory to the cloud. Extend your on-premises directory to Windows Azure

Active Directory so that users can authenticate with one set of corporate credentials to their cloud-based resources.

Provide single sign-on & self-service password reset capabilities across your on premise cloud applications.

Deliver a seamless, single sign-on experience to your users across Microsoft online services, applications built on

Windows Azure and hundreds of popular non-Microsoft cloud applications.

Offers Multi-Factor authentication. Windows Azure Multi-Factor reduces organizational risk and helps enable

regulatory compliance by providing an extra layer of authentication, in addition to a user’s account credentials, to

secure employee, customer, and partner access.

How it works

Third party apps

Your apps

Dynamics CRMOffice 365SAP, BOX, WorkDaySalesforce, Oracle, etc

5 Proposal for Active Directory

Turn it on for Windows Server Active Directory Use Multi-Factor Authentication to secure access to on premise applications and Windows Server, Microsoft Online Services like Office 365 and SharePoint, as well as third party cloud services that integrate Windows Server Active Directory.

Windows Server Active Directory and Multi-Factor Authentication offer you a way to:

• Enable single sign on: Synch your on premise identity with Office 365 and SharePoint using Windows Server Active Directory to enable single-sign on to Office 365 , SAP, Oracle, SalesForce and over 500+ SaaS applications and growing.

• Help secure access: Can be part of a solution that complies with NIST 800-63 Level 3, HIPAA, PCI DSS, and other regulatory requirements.

Provides persistent protection. Rights Management persists protection of file data when at rest and in motion. Once information is locked, only trusted entities that were granted usage rights under the specified conditions (if any) can unlock or decrypt the information.

Supports closer management of usage rights and conditions. Organizations and individuals can assign usage rights and conditions using rights management that define how a specific trusted entity can use rights-protected content. Examples of usage rights are permission to read, copy, print, save, forward, and edit. Usage rights can be accompanied by conditions, such as when those rights expire.

Get security and convenienceWindows Server Multi-Factor Authentication, helps reduce organizational risk and enable regulatory compliance by providing an extra layer of authentication, in addition to a user’s account credentials, to help secure employee, customer and partner access.

The service is enterprise ready and features integration with remote access VPNs, web applications, virtual desktops, single sign-on systems and cloud applications. It synchronizes with existing user directories for centralized user management and automated enrollment.

Add it to on premise applicationsWindows Server Active Directory and Multi-Factor Authentication also extend beyond only Microsoft cloud-based applications like Office 365 and SharePoint. With Windows Server Active Directory, you can apply your customized on premise Active Directory to all your cloud-based applications or even let users log in to non-Microsoft based applications using identities from Facebook, Google, and other identity providers.

Windows Server Multi-Factor Authentication & Rights Management Data Protection With escalating IT security threats and a growing number of users, applications, and devices, multi-factor authentication has become the new standard for securing access. Regulatory agencies agree and have mandated its use across a broad range of industries.

Multi-Factor Authentication can be rapidly enabled for large, geographically diverse user groups – offering convenience, scale, and security.

NOTICE

The information contained in this document (a) represents Microsoft’s current statement of the features, functions, and capabilit ies of the products and services described herein, which is subject to change at any time without notice to you, (b) is for your internal evaluation purposes only and should not be interpreted as a binding offer or commitment on the part of Microsoft to provide any product or service described herein; and (c) constitutes Microsoft trade secret information and may not be disclosed to any third party. Any procurement that may result from this information is subject to negotiation and execution of a definitive agreement between customer and its chosen authorized Microsoft reseller incorporating applicable Microsoft commercial terms. Microsoft does not guarantee the accuracy of any information presented and assumes no liability arising from your use of the information. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS DOCUMENT.

The descriptions of other companies’ products in this document, if any, are provided only as a convenience to you. Any such references should not be considered an endorsement or support by Microsoft. Microsoft cannot guarantee their accuracy, and the products may change over time. Also, the descriptions are intended as brief highlights to aid understanding, rather than as thorough coverage. For authoritative descriptions of these products, please consult their respective manufacturers.

All trademarks are the property of their respective companies.

©2015 Microsoft Corporation. All rights reserved.