Introducing
IntroducingWindowsServer2016_ebook
IntroducingWindowsServer2016_ebook
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
Users can add their personal<br />
Microsoft accounts to access their<br />
personal pictures and files without<br />
affecting enterprise data.<br />
(Roaming settings continue to<br />
work with their work accounts.)<br />
The Microsoft account makes SSO<br />
possible and no longer drives the<br />
roaming of settings.<br />
Users can do a self-service<br />
password reset (SSPR) on<br />
winlogon, meaning they can reset<br />
a forgotten password. (Azure AD<br />
Premium feature).<br />
Users have access to the<br />
enterprise Windows Store<br />
so that they can acquire<br />
and use line-of-business<br />
apps on their personal<br />
devices.<br />
Microsoft Passport<br />
Authentication methods are moving at a faster pace than ever before. Think about it for a moment:<br />
you sign in to your laptop and then open your browser to go to your favorite websites where you<br />
again sign in. In these instances, you are not always using your corporate credentials. If you hear of a<br />
new service and want to access it, the chances are that you will be prompted to sign up and use<br />
credentials from, for example, your public Microsoft account, Facebook, Google, and so on. The<br />
traditional paradigm of using a dedicated identity authentication provider that you build as an<br />
application developer is moving on and we are now using more “well-known” services like those just<br />
mentioned.<br />
Microsoft Passport is a new key-based authentication method that goes beyond passwords to<br />
mitigate traditional authentication attacks. A user enrolls for Microsoft Passport but must ensure that<br />
the authentication provider she uses supports Fast Identity Online (FIDO) authentication; thus,<br />
through a two-step process, the user sets up Microsoft Passport on her device and sets a gesture or<br />
PIN. This can then be used to authenticate the user via Microsoft Passport<br />
During the setup, a certificate of asymmetric key–pair is stored on the device. The private key is stored<br />
within the TPM chip on the device. The private key never leaves the device during the authentication<br />
process. The public key is registered in Azure Active Directory and Windows Server Active Directory.<br />
The user account has a mapping between the public and private key, which helps to validate the user.<br />
Additional controls are implemented via One Time Passwords, Phonefactor, and so on.<br />
More info For further information on deploying Microsoft Passport check the following link<br />
https://aka.ms/bh1m24.<br />
Active Directory Federation Services<br />
As we move forward in a cloud-focused world, being able to control your identity is becoming more<br />
important. We need to think about how we can use our corporate identity to access applications that<br />
we don’t technically own anymore. We also need to think about how we provide access to<br />
applications we own to other organizations in a secure and controlled manner without having a<br />
cumbersome user-management process.<br />
Active Directory Federation Services (AD FS) provides this ability so that you can connect to<br />
applications that are on-premises or in the cloud (Platform as a Service [PaaS] or SaaS) with your<br />
corporate identity.<br />
128 CHAPTER 4 | Security and identity