1 Azure Active Directory Solutions for Identity and Access Management February 2015. Copyright The information contained in this document represents the current view of Microsoft Corporation on the issues discussed as of the date of publication. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information presented after the date of publication. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS DOCUMENT. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation.
2 Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property. The descriptions of other companies' products in this document, if any, are provided only as a convenience to you. Any such references should not be considered an endorsement or support by Microsoft. Microsoft cannot guarantee their accuracy, and the products may change over time. Also, the descriptions are intended as brief highlights to aid understanding, rather than as thorough coverage.
3 For authoritative descriptions of these products, please consult their respective manufacturers. 2015 Microsoft Corporation. All rights reserved. Any use or distribution of these materials without express authorization of Microsoft Corp. is strictly prohibited. Microsoft, Azure , Active Directory , Office 365, SharePoint, Windows, Microsoft Intune, Windows PowerShell, Windows Server, and Xbox Live are either registered trademarks of Microsoft Corporation in the United States and/or other countries. The names of actual companies and products mentioned herein may be the trademarks of their respective owners. 2. Contents Introduction .. 4. Organizations face Identity challenges when doing business in new ways.
4 4. Digital identities are at the core of IT-related services .. 6. Hybrid and cloud-based Identity services provide 7. Azure Active Directory is a comprehensive service .. 7. Benefits and capabilities of Azure Active Directory .. 8. Improve operation, experience, and auditing of on-premises and cloud applications .. 8. Save time managing Office 365 for hybrid enterprises .. 9. Improve security though analytics and intelligence .. 9. Simplify administration of Identity -related tasks and improve the user experience .. 11. Improve efficiency of managing the user lifecycle .. 12. Increase developer focus on core functionality of applications .. 13. Features of Azure Active Directory .. 14. Business scenarios and Solutions .
5 16. Extend Office 365 to enable new Solutions .. 17. Enable mobile information workers to access applications .. 17. Enable workers in many environments to access applications .. 18. Enable partners and vendors to access applications .. 20. Streamline mergers and acquisitions .. 20. Support governance, risk management, and compliance .. 21. Examples of organizations using Azure Active Directory .. 21. Architecture patterns for Azure AD Identity Solutions .. 25. Standard hybrid 25. User provisioning for the standard hybrid enterprise .. 25. Using Azure AD as the enterprise Directory .. 26. Mostly cloud 27. Business partner access .. 29. Mergers and acquisitions .. 30. Standardized identities .. 30. User principal name (UPN) patterns.
6 31. Considerations for mobility Solutions .. 31. Conclusion .. 32. 3. Introduction Many organizations are considering the most effective and valuable way to invest in cloud services to modernize, control costs, and enable new capabilities and scenarios. Cloud-based scenarios often require new Solutions to provide Identity and access management capabilities. This paper presents a collection of common scenarios and discusses the ways Azure Active Directory . ( Azure AD) provides a comprehensive solution that addresses Identity and access management requirements for on-premises and cloud applications, including Office 365 and a world of non-Microsoft SaaS applications. You can use this paper to help plan and prepare for using cloud services in your organization.
7 Organizations face Identity challenges when doing business in new ways Many organizations are migrating applications, data, and services to the cloud to avoid the costs of building and operating data centers. To remain competitive and relevant, organizations are retooling their business processes and workflows. As email has become a less useful means for collaboration between employees, vendors, and customers, businesses are looking towards new cloud-based collaboration Solutions . Organizations also need to meet the expectations of a mobile workforce, with device preferences, flexible schedules, and a desire to use social media. To increase productivity and agility, many businesses are enabling employees to access applications and data anywhere, anytime.
8 When businesses modernize, they often find shortcomings in infrastructure as well as in governance. Challenges presented by an inadequate Identity infrastructure impact administration tasks, limit the types of Solutions that an IT department can provide to an organization, complicate workflows, and hinder productivity. Identity lifecycle management IT departments burdened with Identity and access management tasks have less availability to perform more high-value work, such as developing Solutions at a pace that keeps up with business requirements. Provisioning new users can be a time-consuming task, requiring a large amount of administration and configuration across several systems. Users may obtain access slowly and unreliably to the resources they need to perform their jobs.
9 IT staff may need to access and configure several Identity utilities and Identity repositories when onboarding a new user for online services. Each time any employee needs to access an IT service, IT staff must manually handle the request and perform administrative tasks to enable access. With this ad hoc manual method, stringent levels of control, as well as compliance with necessary regulatory standards, is difficult to achieve. Each LOB application at an organization can require a separate sign-in process, many maintaining their own Identity stores. IT staff may need to separately provision users for each application, creating management overhead. During acquisitions of other companies, IT services can be inconsistent and 4.
10 Unreliable: users in new and old divisions may have difficulty accessing LOB applications, finding each other, and communicating. Benefits of improving the management of the Identity lifecycle include: Reduced cost and time to integrate new users Maximize investments of existing on-premises identities by extending them to the cloud Reduced time for new users to access corporate resources Reduced management overhead for provisioning process Improved security by ensuring access to systems can be controlled centrally Consistent application of security policies Reduced time to integrate acquired companies Reduced business interruptions Reduced exposure to outdated credentials Reduced time and cost to enable applications to accessible from the internet Increased capacity of IT to develop core application features Increased security and auditing Increased flexibility by delegating specific administration