Capabilities of MIM vNext and
the areas we are investing in for
the next release
New capabilities in MIM vNext
improve protection from cyberattacks
Microsoft Identity Manager
(MIM) vNext aligns with Azure
Active Directory Premium
Roadmap discussion and
feedback
IAM – A Comprehensive Solution
Microsoft Identity
Manager
Windows Server
• Active Directory is the
primary authentication
source today across
enterprises
• Active Directory Federation
Services integrates with
Azure AD and MFA
• Web Application Proxy
provides at the edge preauthentication
• Enforce conditional access
to resources
Identity Manager
• Delivers self-service
identity management
• Automates lifecycle
management across
heterogeneous platforms
• Provides a rich policy
framework for enforcing
corporate security
policies for identity and
access
Azure Active Directory
• Cloud directory
• Cloud authentication
• Azure Active Directory
Premium includes MultiFactor Authentication,
and server and user CALs
for Identity Manager
On-premises and private cloud
Azure AD
App Proxy
Your apps
Azure
Active Directory
Identity Manager Capabilities
Clients
Identity Manager Platform Scenarios
Portal
Outlook
Windows
Custom
Role
Management
Policies and
Workflow
Request
Permission
AuthN
AuthZ
Service DB
Cloud Services
Action
Group
Management
Identity Stores
Databases
Directories
Applications
Certificate
Management
Identity
Synchronization
Password
Reset
Modernization
Privileged Access Mgmt.
• Updated platform support
• Improved protection of admins
• Certificate Management updated
• Just In Time (JIT) admin access
• Self-service account unlock added
• Auditing for alerts and reports
Hybrid IAM
• Self-service password reset with
Azure MFA as a gate
• Hybrid reporting
• AAD and Office365 integration
First Workstation
Compromised
Domain Admin
Compromised
Research & Preparation
24-48 Hours
Attack Discovered
Data Exfiltration (Attacker Undetected)
11-14 months
Prepare
Which users have
privileged access rights
based on AD groups?
Monitor
Protect
Additional auditing,
alerts & reports, of
privileged access
requests
Step-up lifecycle and
AuthN protection of
privileged user accounts
Operate
Users can request Just
In Time (JIT) and Just
Enough administrator
access privileges
•
•
•
•
Group: Resource Admins
Domain: CORP
Candidate: Jen
“Jen”
Existing Apps
User
access
requests
existing trust
Existing FIM
Optional
Group “Resource Admins”
Microsoft Identity Manager
Configured for PAM
trust for admin access
Existing
AD Forest(s)
WS 2003 or later
Privileged Access Management
AD DS
vNext
User: PRIV\JenAdmin
Groups:
CORP\Resource Admins
Refresh after: 60 minutes
Time based memberships
User “JenAdmin”
Microsoft Identity Manager
MIM Service
MPR
AuthZ WF
Action WF
PowerShell
User
Group
PAM Role
PAM Request
MIM Service
DB
New-PAMRequest
Event Log
runas
whoami /groups
AD DS
vNext
Hybrid MIM reporting
Hybrid Sync
SSPR with Azure phone
authentication
O365 integration
IAM Reporting & Auditing: Current State
FIM activity reports delivered via System Center Service Manager
FIM 2010 R2
IAM Reporting & Auditing: Current State
Azure AD activity reports delivered via Azure Portal
Recently
announced,
PREVIEW
Reports show on FIM
Service DB changes
Adding scenario-based
Reporting
May require separate
SQL and SCDW hosts
Easier to deploy using
cloud storage
Reports ship as part of
FIM major releases
Reports can ship with
Azure portal updates
Custom reports
requires SCDW skills
Easier to generate
custom reports
Hybrid Reporting: Unified Experience
Active Directory
HR system
New employee
Departing employee
Exchange
LDAP
MIM
Oracle DB
Finance
Manager
Windows Server
Active Directory
Azure AD Sync
Exchange
Online
HR system
MIM
Manager
Microsoft Azure
Active Directory
LDAP
SharePoint
Online
Oracle DB
Azure
Finance
SaaS app
Today
CY2015
Roadmap
We have added a new
“Phone Gate” activity to
implement additional phone
authN as part of SSPR
workflow
Self-service account unlock
• With BYOD devices, accounts can
become locked after password changes
• Enable self service unlocking accounts
(without password reset)
Certificate Management
modernization
•
•
•
•
Modern app for self-service
New REST API
OAuth 2 enabled
CM server support for AD multi-forests
Recent platform versions
supported
• Windows Server 2012 R2 and later,
SQL Server 2014, SharePoint 2013,
Exchange 2013, Visual Studio 2013, ...
ADFS
Windows Store
Application
AD FS
AuthN with
OAuth 2.0
Windows
(Install virtual
smartcard)
MIM CM
Server
REST API
(OAuth 2.0 protected)
Windows
device
AD Blog: http://blogs.technet.com/b/ad/
MIM downloads: https://connect.microsoft.com/site433/
Tue, Oct 28 3:15 PM-4:30 PM
EM-B214
Privileged Access Management for Active Directory
Wed, Oct 29 8:30 AM-9:45 AM
EM-B316
Directory Integration: Creating One Directory with Active Directory and Azure
Active Directory
Wed, Oct 29 3:15 PM-4:30 PM
CDP-B210
Cloud Identity: Microsoft Azure Active Directory Explained
Wed, Oct 29 5:00 PM-6:15 PM
EM-B318
Free Your Apps: Introducing Microsoft Azure Active Directory Application Proxy and
Windows Server Web Application Proxy
Thu, Oct 30 10:15 AM-11:30 AM
CDP-B312
Microsoft Azure Active Directory Premium, in Depth
Fri, Oct 31 2:45 PM-4:00 PM
EM-B313
Microsoft Azure Multi-Factor Authentication Deep Dive: Securing Access on
Premises and in the Cloud
Thu, Oct 30 12:00 PM-1:15 PM
EM-B310
Active Directory + BYOD = Peace of Mind
Thu, Oct 30 5:00 PM-6:15 PM
DEV-B322
Building Web Apps and Mobile Apps Using Microsoft Azure Active Directory for
Identity Management
Fri, Oct 31 8:30 AM-9:45 AM
CDP-B207
Securing Organizations: Azure Active Directory Intelligence as a Differentiator
http://channel9.msdn.com/Events/TechEd
www.microsoft.com/learning
http://microsoft.com/technet
http://developer.microsoft.com
http://aka.ms/enterprise
mobilitysuite
http://aka.ms/microsoftintune
http://aka.ms/configmgr
http://aka.ms/hi
http://aka.ms/aip
http://aka.ms/virtualdesktop