Identity and access management
Protect user credentials and access
Securing systems, applications, and data begins with identity-based access controls. The identity and access management features that are built into Microsoft business products and services help protect your organizational and personal information from unauthorized access while making it available to legitimate users whenever and wherever they need it.
These features enable you to manage user identities, credentials, and access rights from creation through retirement, and help automate and centralize the identity lifecycle processes. Microsoft goes beyond the username and password model to provide stronger authentication, while making security more convenient for users with simplified processes and single sign-on (SSO). Robust tools make it easier for administrators to manage identity, and developers to build policy-based identity management into their apps.
Microsoft uses multiple security practices and technologies across its products and services to manage identity and access.
- Multi-Factor Authentication requires users to use multiple methods for access, on-premises and in the cloud. It provides strong authentication with a range of easy verification options, while accommodating users with a simple sign-in process.
- Microsoft Authenticator provides a user-friendly Multi-Factor Authentication experience that works with both Microsoft Azure Active Directory and Microsoft accounts, and includes support for wearables and fingerprint-based approvals.
- Password policy enforcement increases the security of traditional passwords by imposing length and complexity requirements, forced periodic rotation, and account lockout after failed authentication attempts.
- Token-based authentication enables authentication via Active Directory Federation Services (AD FS) or third-party secure token systems.
- Role-based access control (RBAC) enables you to grant access based on the user’s assigned role, making it easy to give users only the amount of access they need to perform their job duties. You can customize RBAC per your organization’s business model and risk tolerance.
- Integrated identity management (hybrid identity) enables you to maintain control of users’ access across internal datacenters and cloud platforms, creating a single user identity for authentication and authorization to all resources.
Azure is the foundation for many Microsoft services. Azure Active Directory and Windows Server Active Directory Domain Services enable you to monitor access patterns both in the cloud and on-premises, and to identify and address unauthorized access attempts and other potential threats. Active Directory Domain Services also support features that are widely used in enterprises, such as domain join, LDAP, NTLM, and Kerberos authentication.
You can migrate legacy directory-aware applications running on-premises to Azure without worrying about identity requirements. You do not need to deploy domain controllers as Azure virtual machines (VMs), or use a cross-premises connection, such as site-to-site VPN or ExpressRoute, back to your identity infrastructure.
Secure apps and data
Secure identity and infrastructure provide the foundation for Microsoft products and services.
- Azure Active Directory, a comprehensive identity and access management cloud solution, helps secure access to data in applications on site and in the cloud, and simplifies the management of users and groups. It combines core directory services, advanced identity governance, security, and application access management, and makes it easy for developers to build policy-based identity management into their apps.
- Cloud App Discovery is a premium feature of Azure Active Directory that enables you to identify cloud applications that are used by the employees in your organization.
- Azure Active Directory Identity Protection is a security service that uses Azure Active Directory anomaly detection capabilities to provide a consolidated view into risk events and potential vulnerabilities that could affect your organization’s identities.
- Azure Active Directory Domain Services enables you to join Azure VMs to a domain without the need to deploy domain controllers. Users sign in to these VMs by using their corporate Active Directory credentials, and can seamlessly access resources.
- Azure Multi-Factor Authentication requires the use of more than one method to authenticate a user for access to data in apps both on site and in the cloud. It delivers strong authentication with a range of easy verification options, and accommodates users with a simple sign-in process.
- Azure Active Directory B2C is a highly available, global identity management service for consumer-facing apps that can scale to hundreds of millions of identities and integrate across mobile and web platforms. Your customers can sign in to all of your apps through customizable experiences that use existing social media accounts, or you can create new standalone credentials.
- Azure Active Directory B2B Collaboration is a secure partner integration solution that supports your cross-company relationships by enabling partners to access your corporate applications and data selectively by using their self-managed identities.
- Azure Active Directory Join enables you to extend cloud capabilities to Windows 10 devices for centralized management. It makes it possible for users to connect to the corporate or organizational cloud through Azure Active Directory and simplifies access to apps and resources.
- Azure Active Directory Application Proxy provides SSO and secure remote access for web applications hosted on-premises.
To help protect against unauthorized access, Dynamics 365 uses Azure Active Directory to authenticate users, simplify the management of users and groups, and enable you to assign and revoke privileges easily. By default, only authenticated users can establish a connection to the Dynamics 365 service.
Dynamics 365 for Operations uses a role-based security system to authorize access to a set of entry points, and assigns security roles based on the user’s responsibilities in the business. Customers can further customize security by controlling user access to data through a set of access levels and permissions.
Office 365 uses Azure Active Directory to manage users. You can choose from three main identity models in Office 365 when you set up and manage user accounts. You can also switch to a different identity model if your requirements change.
- Cloud identity. Manage your user accounts in Office 365 only. No on-premises servers are required to manage users; it's all done in the cloud.
- Synchronized identity. Synchronize on-premises directory objects with Office 365 and manage your users on-premises. You can also synchronize passwords so that the users have the same password on-premises and in the cloud, but they must sign in again to use Office 365.
- Federated identity. Synchronize on-premises directory objects with Office 365 and manage your users on-premises. The users have the same password on-premises and in the cloud, and they do not have to sign in again to use Office 365. This is often referred to as SSO.
Azure Active Directory also provides an in-house solution for multi-factor authentication with a phone call, text message, or notification on a dedicated app. It also supports third-party multi-factor authentication solutions. Once users have signed in with multi-factor authentication, they can create one or more app passwords for use in Office client applications.
Power BI uses Azure Active Directory to authenticate users who sign in to the service, and prompts for Power BI credentials whenever a user attempts to access resources that require authentication. Users sign in to the service by using the email addresses they set up in their Power BI accounts; Power BI uses the email address as the username, which is passed to resources whenever a user attempts to connect to data.
Visual Studio Team Services (Team Services) users can be authenticated via Microsoft accounts or Azure Active Directory, which performs authentication, authorization, and access control; supports industry standard protocols; and simplifies authentication by providing identity as a service. Azure Active Directory supports multi-factor authentication and SSO across cloud services. With Azure Multi-Factor Authentication, you can require users to verify their sign-in via mobile app, phone call, or text message.
By using built-in groups in VSTS, you can set up your own groups to control access to team projects and collections. You can grant or restrict access with DevOps permissions, work item tracking permissions, and team admin roles and permissions. You can also grant limited access to stakeholders who don’t have a VSTS license so that they can contribute their ideas and access team dashboards.
Microsoft has enhanced Active Directory in Windows Server 2016 by strengthening on-premises identity and access management capabilities to provide more control over administrator access. Just In Time administration and Just Enough Administration limit the time and scope, respectively, of privileged access. Windows Server 2016 also enables the elimination of passwords with increased multi-factor authentication interoperability, and tightly integrates with new Windows 10 client security features such as Microsoft Passport and Windows Hello.
Credential Guard uses virtualization-based technologies to isolate secrets. Attackers with access to one server can’t gain derived domain credentials for attacking other systems. The new features and enhancements work in conjunction with Active Directory Domain Services, Active Directory Federation Services, and Active Directory Rights Management Services that organizations previously relied upon for secure identity management, authentication, and access control.