About : standard furniture java
Title : standard furniture java
standard furniture java
welcome, welcome, welcome! thank you for being here. this session is about cloudidentity and access management. and i'm nasos kladakis. i am the product manager ofazure active directory for enterprise mobility and security. i am with the team that builtazure active directory almost from the beginning. so i think i know almost everything,okay.
this is what i say to people andto my engineers. so today, i will try toshare everything with you. at the end of the session, i wantyou to have a great understanding on what cloud identity and accessmanagement means for microsoft. that's the goal of this session,okay? it's the only identity session thatyou will attend at this event. i want from you to get everything that we build onazure active directory. everything that we have in cloudidentity, and access management.
what it's in for you? what's the benefit for your users? and why you shoulduse this solution. of course, it’s impossible to coverthat in 75 minutes, so in every slide, or at least in most of theslides you will see a code that it’s the code of the session that hasmore details on the specific topic. so, if you see somethingthat makes sense to you and it’s important gotta takethe code and go to that session. at the end also,
i will tell you more about othersessions that we have this week. but this is the firstidentity session and thank you for being here. i want to share two things for thisslide, for the title of this slide. when i was uploading this slide onthe ignite site, i made a mistake. instead of cloud identity and access management, it was sayingloud identity and access management. the only loud thingabout identity and access management isthe product manager, okay?
identity and access management hasone ambition, to be invisible. to be there for you, protect you,share to do your business, but it will be invisible. this is our goal. our goal is to beforgotten in a good sense. we will be always there for you,and you will do what's important. this is the goal of this session. let's see if we'regoing to achieve it. now, i'm sure that youhave seen these numbers.
have you seen these numbers before? >> yes. >> and you will see them again andagain, okay? i guarantee you that. but no one will tell you the truth. do you know what these numbers mean? this number mean, it's a hard fact,i mean prepare yourself, no one loves you, no one, okay? there's not a single category ofpeople out there that like you.
>> [laugh]>> i understand that's hard, but look at that,the first category that makes sense. it's the bad guys. 63% of all the bad thingsthat happen to you are coming from faults of yourusers and weak passwords. and the bad guys, it's not personal,it's not that they don't like you. they're going to make their living. it's hard work but it pays. so it's not that they don't like youbut they don't like what you do.
so that's the first category. the second category is your users. they definitely don't like you. okay, and that's why 80% of them are usingapplications that you don't know. they don't want to talk to you. can you imagine that? 80% of your users they don't wantto have anything to do with you. they are using their ownapplications shadowing it means your
users don't like you and you have20% of liars out there saying that, no, no, no, i'm using onlyapproved applications. so that's the hard truth,the second truth. and the third truth, you know. your leadership alsodoesn't like you. they say, yeah, yeah,yeah, you need fancy tools. there's no positive growth for you. so in this world that no one lovesyou, you have only us, okay? >> [laugh]>> i'm your only friend right now.
and you know why? because we will help you withsolutions like this one to become the heroes that you need to be foryour business. and you will make yourusers not love you, but tolerate you because you willgive them what they want fast. you will make your businessdefinitely love you, because you will save money. the first category will stillhate you, no matter what okay? so, this is the realityof this slide.
and also, microsoft thinks that, in order to address this reality,i'm here to be that hero i said to become again the heroof the business. we have that street of products andtheir prize mobility and security that with identity andaccess management, mobility device management, security products,information protection services. we will help you andyour business do what you want. access everything fromeverywhere in order to do what you do everyday, okay.
we want you to be successful, to beeasy for you to do your business and at the same time wewill protect you. not the one against the other, productivity andprotection at the same time. and it's tough to be productive andprotected at the same time because this is the realitythat your users are facing. and this is what theywant your help with. so let's see how you'regoing to help them. let's do a history lesson.
back in the days,there was this thing. it's like a space aboveyour own premises. it's the on-premises windowsserver active directory. i think that most of you have one ormore of this. is there here someone that has nothing to do withactive directory on-premises? that he doesn't have a singleinstallation of active directory? one, thank you,we have a statistic that says, 93% of business out thereare using active directory.
and they tell me can you prove it? yes i prove it every time. 99 in this room, .9. so active directory is a dominatedirectory on premises and again there are business that westill have that are using other directories. fine, it was great for a while. you are doing yourbusiness with that. you have that directory service, youhave identity management services
there and your accessingon premises applications. but then the cloud appeared. and not just the cloud, devicesthat users brought with them. and they wanted access toyour on premises environment. and you said, fine i know what todo i will build a wall around it, a wall i said. does the wall came, yeah,it washard, it's not easy to build a wall. so you build a wall for them andalso your open tunnels, they are called vpns.
your open tunnels holes onyour system to allow external devices to accessyour precious data. and then you realize that theapplications outside your network are more than thoseyou were protecting. so you say, why exactly am iprotecting something that has nothing to do with my business? almost everything seemedto be outside and you had also customers and partnersthat now are in the game and they said,we want access everywhere.
we want access to easyto use applications. so it was really difficult toprotect that perimeter that you had before, to protect thatnetwork that you used to have. so you will start thinking andwill start thinking with you, the vendors, what we could offeryou to solve this problem. so for a minute you said, what if wedon't use cloud applications at all? nice. it was impossiblethough you remember. your users don't like you.
80% of them are using cloudapplications no matter what. so we said okay,let's give them something else. let's put something in betweenthe cloud applications and the on premises environmentan identity hub, azure active directory in our case,that it will handle all the access to cloud applications,to on premises applications. it will allow access fromany device, to any cloud and at the same time it willallow customers and partners to collaboratewith users and each other.
so this is the vision ofazure active directory. it will be the hub that we willcreate a single connection with, you will build a single bridgewith and through that bridge azure active directory will open thegates of the public cloud to you. as i say many times, i am holdingthe keys of the public cloud. office 365, google apps, amazonweb services, azure, google cloud, any cloud, any applications,i am holding the keys to that. and i'm giving them over to you,through azure active directory. you will control whohas access to what.
and you will do that inan easy way for the end users. why withazure active directory though? that's a great story. it makes sense,let's go to another vendor. why with azure active directory? azure active directory isnot a small startup or a thing that just started and i ambegging you to come in to test it. azure active directory, this directory service is a testeddirectory, it's a proven service.
85% of fortune 500 are, one way oranother, on azure active directory. because, guess what? azure active directory isthe directory of azure, as you can probably imagine. office 365 and almost any othercloud service that microsoft has and reprise cloud service. and because of that, because weown in a way office 365 and azure, 1.3 billion authenticationseveryday are culminated from this identity providedfrom azure active directory.
1.3 billion. okay, the number is so big that you need to takea pause to think about it. every day. 110,000 applications. and there is a number,10 million directories, 750 million users huge numbers,i mean, ridiculous numbers. and there's another small,i mean, modest number there that says 33,000 enterprise mobility andsecurity customers.
these are the customers that didn'ttake azure ad with office or with azure or by accident. these are customers thattrust enterprise mobility and security vision and they didthat the last two years because enterprise mobility and security inthe way that we have it today and we will present it to the wholeweek exists only to years and 33,000 customers are alreadyon board with us, and help us become better and better. so, this is why you should useyour azure ad with everything.
but again i don't want to brag,although- >> [laugh] >> i'm a modest person, however i don't want you to stay onthe numbers i want to show you and prove to you that we have allthe features that you need to be productive and secured andi want to insist on productive. recently, we are the first actually,we said, you know it's not just identity,it's identity driven security. and identity andsecurity became one and the same for
many other vendors, right? this is the new trend. and i had that discussionwith an analyst, and i said, is identity security? he said, only you identitypeople don't see that. identity is security. but i want to insist and share mythoughts with you that although, yes, security is our number oneconcern and you will see that. we still have features that are justto make your business progress.
we have things that you need,and then we give you security for those things. it's not just a security product. it's a product that willhelp you collaborate more, help your users be more productive,and do whatever they want. so that's why azure active directoryidentity and access management can provide one identity toaccess all kinds of applications. this is what we mainly do. this is the core thing thatazure active directory does.
we will give you one identity toaccess any application in the cloud and on-premises. this is our main goal. and we will do that while we willhear your users collaborate. we will do that whilewe have you and the it departments tomanage access of scale. and at the end i will showyou that we protect you. we work night andday to protect you. protect your identities andyour assets, and you will see that.
but we also care about the business. it's not just about security. it's security andbusiness at the same time. so let's start by focusing on thefirst pillar, if you want the first scenario which is that one identityto access thousands of applications. that means different things fordifferent customers. we have our friendsfrom bristol here. they say,yes one identity to cloud and on-premise applicationsmade our lives simpler.
but we have other customerssaying other things too. i'm not going to read it. i thought it was the best to readeverything but then i said no. so, how we do that,how we achieve that? as i said, no matter if you haveactive directory on-premises or other directory, sort of databaseswith usernames and passwords. we can help you synchronize them,bring them together and synchronize them toazure active directory. either directly or by using ourpremises identity management product
like microsoft identity manager. and as i said, we help you, we are giving you the toolsto create one bridge, one simple connection that is calledazure active directory connect. and through that bridge, you can hear your userswalk through the cloud. it's easy, it's, we have the 10thversion of azure ad connect and the newest versions of azure adconnect that you have to use to achieve everything that iwill share with you today.
so, this is how wegive you one identity. and you guess right. this one identity is not a new one. this one identity is the sameidentity that you used until now on-premises. so, actually we help you extendthere reach of this identity to any cloud, any application,from any device. this is the one identity i promised. it's not a new one.
it's the one you are using already. now, what about the thousandsof applications i promised? let's see. we said at first as the traditionaltools we are doing. i will give you the bridge, the connection likefederations tools do mainly. and you will build federationafter federation after federation, connection after connection, your small bridgeswith every application.
but then that didn'tsolve your problem. that's why we have donea lot of work for you. we have pre-integrated thousandsof cloud applications. the most popular ones,in azure active directory. so, when you build thatbridge i was selling you, you can simply have togo to a gallery and say, now that i have that bridge,i need single sign-on to office. i need single sign-on to box. i want single sign-onto google apps.
i want single sign on. i lower my voice because howmany of you have google apps? 5? yeah, i don't have to be loud for 5. >> [laugh]>> google apps. okay. office 365. how many have office 365. it's a microsoft so,okay, i understand.
>> [laugh]>> so you see, we have done work for you, applications are there. what if my applicationis not there in asus? we have templates. you can bring your application inside our environmenteasily by using templates. and if you write an application,a custom an application, if you develop an application, thereare libraries, there are ways to add this applications inazure active directory.
now yes cloud, cloud,cloud, cloud, saas. we are all about saas. we want you to go to the cloudscreaming and kicking sometimes but we want you to go to the cloud. however that's not possible. i don't know why you keep insisting,nasos, don't forget our on-premises apps. nasos, what about this webapplication that is on-premises and i will never move it,because there is no saas equivalent,
because i have compliance issues,because i don't have money and i'm not planning to do it. so, why you are not doingsomething through that great environment that you are promisingto access on-premises applications? and you know, we did something,we hear you, and we did something, 18 months ago. we introduced a component of azureactive directory that is called azure active directory applicationproxy. and application proxy did phenomenalwork with web applications or
premises that are using formbased authentication or windows degrader authentication andsome other. but still, that monster ofon-premises applications, wanted more. because, not all webapplications are equal, let me tell you that, okay? we have cookie based andheather based applications. and all applications thatare not using standards. and we have applicationsthat are complex and
behind firewalls after firewalls. so, you wanted more. and i think we did it. but, i have someone that isbetter than me to describe that. i want to call on stage,patrick harding, who is the chief technology officerof ping identity. >> thank you very much. >> [applause]>> so, i have patrick here with me because microsoft,and ping identity work together,
to provide you a solution to accesseven more on-premise applications. patrick, are you excitedabout it because as you see, i am super excited? [laugh]>> i don't know if i could be more excited than you now. i mean, i've never seen anybody soloud up on stage, it's phenomenal. >> okay, it's cloud, you know cloud. >> [laugh] so, ping is ecstaticabout this opportunity to partner with microsoft.
we feel we're gonna help a lot ofmicrosoft customers enable their legacy and on-premise applicationsto sort of modernize them to support the latest identity protocols sothat they can actually take those applications and make themwork with the azure ad control plan. so it's really,really exciting to do that. >> so what do you think isthe benefit for the customers, actually from this partnership? >> so i mean i've got to sortof summarize what you said before actually.
i mean enterprises today, employeestoday, it's a mobile work force. people, workers expect to be ableto work from anywhere, anytime, on any device, and get access to anyof the applications they need to do their work. that could be saas applications,could be cloud applications. and obviously it's gonna be onpremises applications as well. and ping's gonna be helpingmicrosoft sort of take those on premises applications and make themavailable and visible to support this new sort of work productivitythat we're dealing with.
>> and a few examples of theseapplications, frederick. >> so, we're dealing with someof the, i won't say it out loud, but sap applications, oracle applications>> no, no. feel free.we are not competing. >> okay, good. a classic example of what we'redealing with it might be some of the applications written in java,or running on a patch in linux. it's all the stuff thatactually springs up that you
don't necessarily realize it's thereover the last 15, 15 20 years. so, it's all that stuff. >> really, can you help usunderstand how this works. >> sure, so at a very, very high level because i know thisis meant to be a deep technical presentation today where ping accessis helping you enable those legacy on prem applications to supportopen id connect and o off, so that you have a standard space interfacethat can basically integrate directly into azure ad, actingas an open id connect provider.
so we're supporting standardprotocols for doing this, nothing proprietary. and then the applications thatping access protects, we leverage http headers or other mechanisms foryou to integrate those apps very easily and seamlessly intoping access at that point. >> thank you, patrick,thank you very much that was great. >> thank you.>> [applause]. >> andi will also show you a demo so you will see that i actuallyunder stand the service.
it's an amazing demo,how you can just access those applicationsprotected by ping access. so, if you want to know more aboutwhat we did with ping access in application proxy,i'll give you a single sign on and mode access without vpn's tomore on premise applications. come to our booth,go to ping's booth. we are more than willing toshare with you the details. just a few things more than that,this product, in quotes, pingaccess for azure ad, we don't have anofficial name, as you can imagine.
yet, we'll be available early 2017now we're in private preview, ok. so in the next few months, you willsee this thing becoming an actual service included in directory. as you saw we can do thousandsof obligations in the cloud. we could do enough obligationson premises and now with help we almost unlock every applicationbut we are not stopping there. what about real single sign onwith mobile applications because single sign on with the web versusthe applications seem easy now. i mean,most of the people can do it.
what about the app single signon to mobile applications. what we have done in this front. so let me show you that. i'm using the opportunity ofthe tool that you're seeing on your screen to discuss about singlesign-on to mobile applications. this tool is calledmicrosoft authenticator. please go and download it, andused it, it's for ios, it's for android for windows phones. >> [laugh]>> i'm also lowering my voice
because again, how many ofyou have windows phones here? more than google apps of course,but still i'm not impressed. i thought i was the last one,so it's good. so, windows phones,ios, android, go and download this app, because this appdoes what this app first of all consolidates every authenticatorapp that microsoft ever created. okay, authenticators forwindows, microsoft account for android, butwhy we had all those authenticators. that was our problem, okay.
so, first of all withthis application, we're solving one of our problems. different teams writingthe same thing, okay. we do that sometimes. in this case, we fixed it. there is no authenticator formicrosoft that is not consolidated in thistool, microsoft authenticator. and you can use it not just for azure active directory enterprisepurposes but
at the same time you can use it foryour microsoft accounts, outlook mail, skype to provide a secondfactor of authentication for that. and also you can use it forfacebook, you can use it for google and other kinds of identityproviders that provide to you a second factor to protectyour authentication even more. so the many reason we have this toolit was because it use to materialize the multi factor authentication andi will show you that in my demo. however, this tool now,this consolidated tool will do more. with this tool you'll be ableto have real single sign on
to different mobile applications. so you will log in to your ipad andif authenticator is there you will be able to login once to word and then to excel andthen to powerpoint and to outlook without having to add your passwordagain and again and again. and if you are old school guys and you will like, you don't evenlike to add your password, but you want to solve thatwith old fashion tools. we have something that is calledcertificate based authentication.
so if this is a regulation reason, that you want to use that,you can download certificates. they will be stored in thismicrosoft authenticator and they can used forauthentication without passwords. and soon in the near future microsoft authenticator will bethe vehicle of windows hello, of passwordless authenticationbased on the five standards. so you will really getrid of your passwords, eventually through a tool like that.
so imagine, you will use microsoftauthenticator on windows devices, on ios devices, on android devices. to log in to your main device butalso in the near future you will use thisapplication to log in to websites. so no matter from whichdevice you're coming, you will go to a website andif it supports the standard, you will use microsoft authenticatorto scan the qr code or anything else and you will be able to login tothis website with no passwords. so although the death of passwordsis a bit of an exaggeration,
it will happen eventually andwe are starting with that tool. so, microsoft authenticator,download it. you can use it forazure app, if you have it. and you can use it for facebook, forgoogle, for microsoft accounts, for your consumer accountsat the same time. it can support multiple accounts. so, we provide single sign on toeven your mobile application store, now easier than ever. and still, there are applicationsout there that are not covered yet.
how many applications are out there. i don't know. you have applications that aretraditional, and you don't want to keep them on premises butyou don't want to change them. you want to take them andput them into the cloud. if that's the case, if you wantto take applications running on premises and move them directlyto the cloud without any changes on the model of your application,run them on linux and windows rich media in azure,then yes we have that too.
here i give you domaincontroller as a service. you can, instead of usinga virtual machine on azure, you can just plug your linux andyour windows virtual machines in this data center,domain controller as a service. domain services that we providethrough azure ad and this thing, this service will act asyour domain controller. so, no matter which application youhave, sauce will have you covered. custom applications, cool. on premise applications,our friends from bing and
we will have you covered. and for mobile applications,and even more for if you have applications forlift and sift, you are covered too. okay so i did my best to prove toyou that thousands of applications is not just a marketing number. now, let me move to the next pillar,which is, okay, i gave you an identity, and[inaudible] everything. your users can do that. but now, they want to collaborate.
they want to make their life easierand because again, i told you, they don't like to talk to you, they're going to haveself-service capabilities. let's see that. so, a lot of customers are usingthat already, they are supper happy. i forgot to mention our friends fromvetco here, look at what they say, i give them one password andi let them go, do whatever you want. reset your passwords, go whereveryou want, we cannot manage you all. so, that’s a way to provideaccess without borders to users.
other organizations,bigger organizations, are using our tools for a differentapproach, to provide access, secure access to partners, tovendors, but this is the main idea, so let see the features, thecapabilities that materialize that. first of all,we provide a single tool, a single screen that gives youaccess to all applications i said. cloud applications or premisesapplications, that is one place that you can access your applications idon't want to say anything more on that, because i will show youthat in my demo right away.
let's go to the next, which is oneof the most important things, and we have a great session on fridaymorning that will describe that more. you can use yourazure active directory as the sender of your cross organizationcollaboration. let me use another way to say that. imagine that you want toprovide access to your vendors, to your partners,to extend to users, your guests, but you don't want to show thatthing with traditional means,
like creating temporaryaccounts on-premises. those temporaryaccounts on- premises, are the mother of all bugsthat happened to customers, because these temporaryaccounts are never temporary. and our normal accountsin your active directory, no matter what letter you put infront of it, temp, v, whatever, they are normal accounts and theycan be used for good and for bad. now we give youthe opportunity to avoid that. invite the guests that you want,invite the partners that you want,
the vendors that you want,to access your on-premises and cloud resources byusing azure ideas. we have b2b collaboration andan easy way to invite guest users, if they have office 365,if they have azure fine it's easy, if they don't have stillwe can invite them through a free azure activedirectory we will provide, and the news are, that now, we cando that even with their gmail. you can invite peopleeven with our gmails. go to the session andyou will learn more about that.
moving forward, one thing thatyou would expect from us is that, although as i said before,we support all kinds of devices. we support all kinds of platforms. of course, we also support our own. it's no surprise here. and with windows 10, we went one step furtherwith azure active directory. we embedded azure active directorywith windows 10. from the moment you buy windows 10,you have the option to log in,
to join your device to the cloud,and from that moment on you imagine youjust bought something from a store on your way to the house you openit, you are in the out of the box experience, and you can choose tojoin into azure active directory. without going back to on-premises,to the corporate network, without having your users talk to youbecause they don't like you, again, i say that again and again, theywill join the device to azure ad and all the security policies, themobile device management agents, and other things that you wantwill flow into this device
through azure ad without the needof traditional join to start with. and if later on, you want to jointhese devices traditionally, of course, you can do that. we have a hybrid model. and on top of that, we did somethingthat was a request from many of you. on windows 7, windows 8 andwindows 10 originally, we have the ability toshare the user interface, the browser settings,application settings, among devices. i'm using that a lot.
i have my device, i log in with mymicrosoft account, my msa account, hotmail outlook, and i synchronize the settings ofthis device with other devices. that's a great, great capability. you can keep two, three, ten devices with the same features,by just synchronizing them. but your request was that,you know i'm an enterprise, and microsoft accounts are personal. i don't want to synchronize thesettings of an enterprise device,
through a hotmail account. give me something better. and we did that. through azure active directory,windows 10 devices now can share settingsthrough azure ad and this feature is calledenterprise state roaming. now you have a device,you install applications, you set settings on theseapplications, or your browser, backgrounds, everything, andif this device is destroyed, and
you get a new one with azure ad,everything will flow back. the device will look the same. and if you are using onedrive allthe documents will be there for you. we did that withenterprise state roaming. now let me go to the finalthing before my demo, which is the ability for consumersto have the same experience. for your own users,your own customers. the customers of our customers. we give you the opportunityto provide secure single sign
on to them by usingb2c azure active directory b2c. again we have a session,you can learn more details for that. let me go now to my demo. as i told before, we help users. and it's important to startfrom the end user experience. i will start from the enduser experience, and i will try to show you almosteverything i've talked about through the end user experience. imagine now we have a persona here,and
this persona was working forthis company, so it's not brand new. she didn't came today. and i use that because shehas configured a few things, i don't want to configureeverything from scratch. she was working for sales,for marketing let's say, and she realize thatmarketing has no future. >> [laugh]>> and she said, i will go to sales. great, so not engineering. sales i said.
she moved to the sales department. fine. now she has a new device. her new departmentgave her a new device. everything looks fine because it'swithin their price state roaming. and although she doesn't knowwhere to find the applications on the device, she will gosomewhere that she always goes. she will use another browser,and she will go to, i don't remember the nameof that browser,
myapps.microsoft.com andso we log in. our user is called aphrodite,and says now is sales person. although she use the word formarketing. aphrodite will go in. as you saw when she wasrecognized everything changed, this is branding that is providedby azure active directory. she will use her password. and she will sign in. she signs in andshe sees a few applications.
she sees, of course office 365,her mail, exchange, sharepoint online for onedrive. she sees another application forfile sharing there. contoso research. this is as it says here, super, ultra sensitiveon-premise applications. amazing. now she have access to them,i mean, the secrets of the company. of course, the hr applicationthe she has here amazing,
but that doesn't feel good. i mean,there are too few applications. let me go to mails aphrodite says. she open her email to send somean email to helpdesk but no you see, her manager hasalready send an email. as i told you,i'm not zooming in and zoom out. listen to me for the story. the boss here says,welcome aphrodite. you saw already a fewapplications in your environment.
however, the way we do it here insales, is that we want you to go and join a few groups. and by joining these groups, you will get access toeven more applications. amazing, aphrodite says. so they want me to accesssales teams apps and enterprise social apps. let me do that. she click here and this isthe ability of self service group
management andself service application requests. tools that they don'tneed it interference. she goes here and says,i want to join the group. sales are better thanmarketing. great, this specific grouphas self approved rules. there's no need fora manager to let her in. she just got approved. what else the boss said? i need to join the enterprisesocial applications.
let me go to all groups. let me find enterprise social apps. great. the users that are in this group,get access to the twitter account of the company withoutthe need of knowing the password. sales are still better. or something like that. i use greek to, so. now, this group isa little bit different.
this group requires approval froma manager, from a business owner. not only from the admin. it's just the business owner thatneeds to be to approve that. let's go now to sharethe manager's portal. i'm using internet explorer forthat. and as you can see here,shared manager is using the modern, the new version of my apps. you can see it's in preview still. this is the new interface.
better, cleaner andlet me refresh that a little bit. just to have the requestfrom aphrodite appear here. and you will see that,if you noticed a new notification appeared here, and again this is notan admin, this is a normal user. we are talking aboutself-service group management. this guy decided that the group thatbrings access to his applications will need the workflow. so she will go here and says sales are still somethinggreek here, approve.
yes, i'm sure that i wanna approve. and let me tell you,this also is in his mailbox. so he could that through his mail. aphrodite's approved. i don't know how much time i needto stall in order to think to [inaudible]. you have to bear with me again. give it a few seconds. it doesn't take morethan one minute ever but
one minute it's ages here sobear with me. one minute i said, okay. no more than one minute. but because one minutecan be too long. okay, so boom. you saw that? i hope you all saw it. yes, please. >> [applause]so
from 0 applications, now i have 24. some of them from one group,others from the other group. and as you saw, i have access to myoffice 365 with no problem at all. let me click on box. yes i can open box,single sign on to box. okay? you see that, i'm in. and i have sales force,i have other applications. i have on premise applications.
i have twitter. let me open twitter. let's see what happensif i open twitter here. so as i said this isthe enterprise social account. i don't know the password, but we are using something,the closest thing to single sign on. and we have access to the socialaccount of the company. without that user toknow the password. so aphrodite has no cluewhat's the password
of the twitter accountof the company. but still, she can tweetin the name of the company now that she had the right role. and what else do i needto access from here? one application is missing. although, this tools is great,aphrodite says, i still have one application that is great andit's an old web application. is an application thatis using cookies and header based authentication.
aphrodite doesn't know that, okay? she just knows that it'san application that she needs to build the vpn. but recently, she heard somethingthat a group was created for those that were, i mean,they heard enough with vpns. i didn't want to see a vpn again. so let here search for that group. i go to groups. i go to all groups.
you see, the user can join othergroups or search for groups. sorry. all groups. and she will try to find that groupfrom those that are tied with vpns. look at that. i'm tired of vpns, how convenient. now she says, i don't believe it. is it possible to join this groupand all the web applications i used to have and they needed a vpnnow will appear in front of me.
let's see,i'm really tired or whatever. what rights mean? hopefully nothing, offensive. okay, i'm in, solet me so, let me go back, i need a few seconds asyou can imagine again. so what i have here. you remember 24. f5. not that 5.
let's see, 24. and imagine, this is an applicationthat is on premises. let me show you that. and now that you know that weare doing something with big access, i will take that opportunityto show you something else. so this is the on-premisesapplication server, and ping identity is installed here. so i'm not going to go in, butping identity is a piece of software that is installed here, andit connects with the on-premise
applications that aphroditecouldn't access without a vpn. and just to show you that it'sa real application aphrodite have to come locally is and how to localhost, and sorry, for this website. sql-c this application, this is theapplication that you want access to. in order to do that before,either had to to remote desktop, to a server orthrough vpn to come on side and access these applicationswith legacy tools. now, with ping access,connecting with application proxy, aphrodite will be able toaccess this application.
of course this is the admin now,okay. i'm the admin logged in here. let's see if that time was enoughto see the application here. i hope that it was. so yes, sure it is. you remember,contoso retail services. so now, look at that. and demonstrating how difficult itis to access with single sign on to an application that was insupport before we got bing access.
let me show you impressive isn't it? [applause]people told me, actually in this room i have myfriends who said nasus are you sure you want this demo? it's nothing.you click and you are in. this is exactly whati want to show you. right. it's nothing. bing access is there.
application process is there, andthe user just clicks and he's in, or she's in in our case. and if you don't believe me thatthis is a header base application, i hope that it will work. if i click here, we have donesomething that you can see the headers and you will see,for those that don't believe me, they will see that's nota normal web application, that there's cookies and headers. so, until that happens,i will go back to
the rest of the presentation, andthen i will return to this demo, to show even more, and show you somemanagement console and security. and hopefully by then,the cookie will appear. so, this user, this demo showedyou that you can go to any, to access any applicationon premise or in the cloud, by using self servicecapabilities like self service business application management,group management. some of these groups can be dynamic. so you can become a member ofa group without requiring access.
you can become a member of thisgroup because of your department, because of your name,because of your country. so we have dynamic management andnow i'm going to show you, probably, something thatmakes your life easier. and we have a specific session on,that will appear right here, this one that will talkexactly about that. how all these things i showyou plus the ability to get provisioning and single azure knownto thousands of applications easily. it's available throughazure active directory.
so azure active directory doesn'tjust provide single sign on. it provides advance life cyclemanagement because it helps you provisions users directly toapplication and stuff all that and that means when you createa user on your active directory. and this user is synchronizedon azure active directory. and by using groups or directly,you assign an application to them the way i assignedapplications to aphrodite. then aphrodite will find an accountfor here in box in sales cost, and office, in google apps, inservice now, in other applications.
and you don't have go togo these applications, and create another user for aphrodite. azure ad will do that foryou directly from on premise, or the cloud directory. so, management scalemeans that you can you can have tools to provisionusers to applications and also deprovision them bychange their group membership. they will lose access tothe groups that you show. i if i remove aphrodite from thegroup, don't you remember the group,
i'm tired of vpns he will loseaccess of his application. if i remove him from the saas apps,share account inbox and salesforce will be disabled. so provisioning and deprovision. and other tools that you willhave the opportunity to disable. but also, management of scale means i give you toolsto monitor everything. so you know that all theinfrastructure that supports your business runs well.
so we have introduced a tool that now i believe it's atthe better state than ever. that gives you monitoryour connection. your federation serversif you use federation. but also,your on-premises domain controllers. and you can see the of all of thosethings through a tool that's called connect health. so this is it. let me go on and
discuss about something as i saidequally important than productivity, but i want to admitthat it's cooler, okay. it's amazing. so this demo is even better. i love this demo. i love that part ofthe presentation. we are in a position rightnow to claim that we can give you advancedidentity protection. better than ever before.
i will show you why,i will demo a few things. but then we have a couple of sessions that willtake you deeper there. let me start by showing you thatwhile i help you go to the cloud and everywhere, i also protect youwith azure active directory. probably, i can say iprotect you better than ever. we have many customersthat are using these features already, of course. you can read about it later.
what i have here. you will see that our story, the protection of our user's story,has many different parts. and everything startsfrom the entry point. i want to talk to you aboutprotection of your identities at the front door. and to be honest there'sno adjustment from door. i'm protecting the front door,the back door, the windows, every opening,every point of access.
we protect everything. no matter if you are coming from thefront door, that the title says, or if you are coming from the backdoor, or from everywhere else. when you are tryingto touch the assets that are protected from azureactive directory, i will be there. and first of all, i will protect youwith simple things that make a huge difference with ourconditional access policies. conditional access means thatwhenever you try to get in to an application or a resourcethat it's perfected by azure ad and
enterprise mobility and security,i will check who you are of course, but that's not enough anymore. i don't trust you becauseyou have just a user name. that's not good anymore. i don't trust you at least for every attempt you do toaccess applications. i will check who you are. if you are of the right group,if you are coming from the right device, if thisdevice is managed and
compliant, i will checkif i like your location. and if all this things work,then i will let you impossibly, or i will make your life a littlebit harder by asking you to, i would challenge you with multi factorsauthentication, but okay location, device, user, application,sensitivity, i can let you in, i can block you, i can enforce mfa,but this is not absolutely new. although and i love these features,and we implement it in a great way. the great thing is not that, it'sthe fourth thing that you see there. while we are protectingyou with simple rules,
at the background weare doing other stuff. we monitor everything thatis happening in the cloud. we are monitoring all the attackswe get through those 1.3 billions authentications per day,but even more, we monitor all those authentications andattacks that are happening in every other cloud that microsofthas which is our consumer cloud too. every authentication against xbox,and skype, and outlook, and azure, and office 365, are all coming in,in one machine learning engine. and what do we do for that?
let me tell you, what do we do. one friend that is in this room saidsomething that i really like, and i will repeat it. and i hope you understand it, and if you don't,you will go to his session. in order to protect you,the signal is the king here. the signal is king,no one can say that, i will protect you because i can,let’s say, calculate a risk for you, if he doesn’t havethe right amount of signals.
i listen to other vendors saying,yeah, this kind of protection, the risk based protection thati’m going to describe to you, it's not that great. of course they say thatbecause they just can't do it. in order to be able tocalculate the risk, in order to be able to say that iknow what's dangerous for you, and i will protect you from that, and youdon't have to set up static rules. you'd have to have the signal. and, microsoft has it.
and what is the signal? as i said,it's the millions of attacks, and the billions of authenticationswe get everyday. you can monitor your environment. and you can identify what'snot normal for your users. but you don't havethe power on you own, to identify abnormal behaviors thatare happening across the cloud. one ip or runuser can right nowattack another one of our customers. not you, but we know that.
and when he tries to attacks you,for you he will be you. notice for him, however forus he will be an old items. someone that we alreadyknow that is sneaky. we are using that vast amount ofsignals, those millions of attacks that we are havingeveryday to protect you, by knowing what'snormal in the cloud. we gather abnormalbehavior of from users. we track ips withsuspicious behavior. we have reports that gather leadcredentials all over the net.
imagine that. every time you see an announcementthat 4 million accounts were stolen, 5 million accounts are there, mostof them are gathered by microsoft. and we give you the informationif one of your accounts is there. there's a report, actually, a uniquereport in azure active directory, that says, one of youraccounts is in the news today. you didn't know it. we know it and we said it with you. how amazing is this?
in order to give you that,we did that power, the cloud power that we have. it's not horse power here,it's cloud power. and now we share that foryou with you. we give you one moremonitoring tool, no, we don't give you onemore monitoring tool. that's not what you want. monitoring tools are great andwe have a great monitoring tool. you see that lens up there.
it shows user set risks,and log in set risks, and other things i willdescribe in my demo. however, what we really offer hereand what i'm really proud of, is the fact that we allow youto act based on what we monitor. for all these bad things that wethink that are happening against you, all these malicious attemptsto access your resources, all these ips that seem suspicious,we calculate the risk. we calculate the risk score forevery attempt. we calculate the risk score forevery user.
we calculate the risk score forevery vulnerability your configuration has, andwe give it to you. and we say, create a policyto act on those risks. how cool is this? it's not another monitor,it is a monitor of course, it's a great monitor andactually as you can see here, you can see it with other monitors,you can extract your data and give them to all other monitoringtools and same systems you have. but what i'm really excited,is exactly what i'd said,
we calculate the risk score. you of course you have to worry,every time you have to worry but we are there for you with the hugeexperience we have to tell you that, you might not know that butaphrodite is at risk today for many reasons. and [inaudible] login is risky. because he's coming froman unknown location. and you don't have to configureevery little detail of it. if aphrodite is risky do that,
if he's using this to weadjust act based on the score. if this score is high,block aphrodite. if the score is medium,challenge aphrodite. if the score is low, let her in. this is what i'm excited about andi'm trying to make you excited. but if i do the [inaudible] we havea really detailed session, and on top of that we have somethingthat is really important too, and it was a request that was coming formany of you. we extend that protectionfrom just the end user,
to your administrators, to you. because i will bringback the first slide. no one loves you andno trusts you too. someone has to protectthe business from you guys. this is the tool that willprotect the business from you, because with this toolprivileged identity manager, all the cloud administratorsfrom office 365 and azure active directory,will be discovered. we will restrict,
you will restrict their access ifyou want by eligible or temporary. and then, you will monitor andassess their behavior, so you can decide if youwant to change something. advanced identity protectionwith risk course for every user, but also, privileged identitymanagement, to be sure that no one has that level of accessto do whatever he wants, we will control everyone. we trust no one as you see here. and this is the assume bridgeenvironment that you would need to
operate in. so what i show you today anduntil now, if you think about it, is the ability to protectthe access point of the front door. if someone tries to come in fromany cloud place, i will be there with my rules, with my risk course,with my policies, to protect you. and i will show you thatin a demo right away. however, if you have some time tothink and if i wasn't that loud and thinking was easier. you could say, okay now,as you said at the beginning,
that you are giving us one identity,right? and this identity is the same weare you using on-premises right? but here you're protecting hisidentity only from the cloud. what if this identity iscompromised from within? what if this identity iscompromised on-premises? and your fancy cloud tools cannotdo that because the access point is on a, i mean, time is serversomewhere in the data center. that's why i'm not just hereto present you about the cloud identity, next is management.
i want you to remember thatwe have the holistic approach through enterprise mobility andsecurity. that's why we have similarto on-premises but it's calledadvanced threat analytics. this tool does similar userbehavior and analysis on-premises. it knows what is normal foryour user on-premises. what's the behavior that your usersand entity discover on-premises and if it says something ,irregular,it reports that, okay? so cloud and on-premises,we have you protected but
still i protect youat the front door. what if, you convince me? but your good, you convince methat nassus i have my username, i have my password, no risk for me. you call me through my phone,i replied. what you want from me? it's me, i'm safe. so the guy at the front doorwill say, yeah, come on in. so when you are in,no one is watching, right?
you can go wild,you can start climbing on the desks, breaking the furniture,i don't know. no one is protecting you anymorebecause you went through that front door, you provedthat you shown no problem. no, that's not that way,what i said, we trust no one. we don't trust even those thatwould pretend that we trust. so i let you in, but now that youare in, in these applications, i, sorry, this is the slide, this. now, that you are inthe application,
inbox, inside salesforce,inside google apps, inside office 365,i still watch you. i still monitor what you do, i protect the business fromyour in-session behavior. so yes, you are in, but if i see you talk to the guy next toyou, if i see you stealing stuff. deleting stuff, downloadingthings that you shouldn't, cloud app security as a partof enterprise mobility and security, is there to protectthe business from you.
so i protect you atthe front door in the cloud. i protect you at the frontdoor on-premises. i protect you insidethe application, and also with mobile device managementand information protection. i secure your devices and i protecteverything in the file level. this is what enterprise mobility andsecurity can offer. and this is what we'regoing to present this week. starting tomorrow morning butlet me go through the demo. the cooler demo, i promised andwe will close with this demo.
so we have aphrodite here,in this environment, great. so aphrodite went to a fewapplications with no problem. >> the screen is black. >> you have to believe me,the demo is there. >> [laugh]>> aphrodite is there. okay, so let's see a few things,a few rules, that i have applied so you can see everything thati've described until now. aphrodite is trying to access andnow the obligation. let's say sales person,okay, she's a sales person.
he wants to go to the salesforce,to the crm, to cfi stuff. so, when he clicks here,the system will realize that now, she's not going to anynormal applications. she's going to a sensitiveapplication and i'm using microsoft authenticator. it says, i received a verificationrequest, you have to believe me, okay, i know that you cannot see it. so here it says, verify,cancel, and something else. let me click verify for now.
so aphrodite verifies, with a secondfactor that, sees the right person. so by doing that on microsoftauthenticator i told you to download or through a phone call ora text message. that i can receive on my band soi can just look the text message and log in, nice. i can come here directly,however, there was a third option that we don't talk much about it butit's super important. the third options we're saying,the first was verify. the second was cancel, andthe third was cancel and report.
so if aphrodite receives thatrequest in the middle of the night, or a phone call in the middleof the night, she can cancel and report andshare account will be blocked. fraud alert, so it's not just mfaand you verify or you cancel. if you think that you receivea request out of the blue, although something bad is happening,someone has your password already. you can cancel andreport and your access, your account will be blocked, let'ssee another thing, another rule. and you can imagine that this isa conditional access rule that says
if you access a sensitiveapplication, the request might fail. let's see another rule. aphrodite's now home and she hasaccess to an application that says super sensitive,do you remember that? contoso research, it says super ultra sensitiveon-premise application. aphrodite is super excitedbecause now, she's calm, and she can show to her kids howimportant thinks is doing it work. so let me show you come closer.
i will show you everything thatcondoso does in research, so look at that great method. look at that,how detailed message we have here? you cannot get there from here,amazing? it's absolutely clear. now, aphrodite understands thatshe cannot go there from here. i know that she hasalready called you, okay? so i got not have access,i don't have access. but if she really reads,
she can tell you what she can saythat you cannot get there from here. you need to be on-premises ona trusted network to access and in case she still wants to call you. if she clicks on more details,she can get all these details and give it your help department,help desk. that says, this ip is protected andi'm coming from this device and this browser. so you can tell and she can tell,if she's smart enough, that she's blocked because ofthe location that she's in.
so it's a location based role,let's see now something else. you have seen that, i believe, inother demos but i want to show it.. i would now use tor browser,tor browser is an anonymizer, okay? and i will maximize it, although it says don't maximize itbecause from the screen length. they will understand from whichbrowser you are coming and from which device so they reallywant you to be anonymous. so tor, if we try to accessan application, it will go from here to germany to romania to greeceand then back to the application.
so it will cover your track,let's see what will happen. so, i will go to myapps as aphrodite. and again, you have to be a littlebit patient here because it takes a few more seconds. because it's really hard to be,to do that job, okay, to be hiker and protect your tracks,it's a hard job but it pays. so, tor browser now, is trying totake me from one place to the other, to the other, to the other toprotect me by hiding my tracks. so now, let's see, if you checkthat and you will believe me.
it take me to germany, from germanyto another place to germany and then to ukraine. so now, the application thingsi'm coming from ukraine, amazing, blooded was by accident, okay,i didn't make it on purpose. so aphrodite, i was really tryingto get greece but it's random. aphrodite that had accesspreviously to all the apps, now that it's using the anonymizer,let's see what happens. and you can see what happened? same device, same location,same user but this log in was risky.
i will show you the rulethat i created. i didn't go to create a rule thatsays, if you see tor, block her. i said, if you see mediumrisk silence here with mfa. and accessing from an anonymizer forour risk engine, means medium risk, makes sense. so it's not that i block tor, it'snot that i did something specific, i asked from our device,from our machine learning. to have it a rule that youwill see right away that calculates the risk andblocks the medium risk like that.
something happened tome yesterday night. as i said, we calculate threethings, risk score and three things. bear with me a little bit,we calculate the risk score for every event. so the user might be fine,perfectly healthy, but currently, real-time, what he does seems risky. so we give a score to everysigning attempt, right? secondly, we seethe behavior of the user, in general so if user is ina late credential report.
if a user is in a, is behavingcrazy, then his score will go up. so yesterday night we go, i am new in atlanta and i was tryingagain and again and again the demo. suddenly, the score ofaphrodite went up, so i was blocked no matterfrom where i was accessing. because he said, although youare not sure doing something bad, you tried 20 times from tor,ten times from a different location. now, the user is at risk,not just the event so i go to the service that wecall identity protection.
and you can see here, that as isaid, it has a great monitor. that shows users at risk, eventsthat are risky, and configuration. let me start with configuration. you can see the scoringof configuration. it says that 400 of your usersare not registered for mfa. and here is the collaborationbetween identity protection and privileged identity management. privileged identity management, letsidentity protection know that there is an administrative role thatdoesn't require mfa to log in.
or that there are administratorsthat are not using their privileges, so what's the purposeof having them? or you have too many global admins. all these suggestions are comingfrom privileged identity management. and now, are here inthe identity protection monitor, and they are covers a riskrelated to them. you can see that usersare flagged from risk, so if i go to users, you can seeusers that are in high risk. because theircredentials are leaked,
probably, they were at yahoo andyou can see aphrodite here. aphrodite was yesterdayreported as a risky user but i remediate just to beable to show the demo. so yesterday, it says,too many attempts from here. it seems innocent buther, risk now is higher. so i said, no, no, no addatlanta in my trusted locations. and as you see,aphrodite down here is secure. and the same goes for the events, every event that happensagainst your identity has a score.
let's see medium real-time events,you will see among other things. various users logging in fromunknown places, using anonymizers. and our aphrodite is down here andshe has virus events that says, you came from prague or athens andit's not your location. or you're using a loadmiser and,as i said, all these things will be great but they're even greaterbecause i can apply pollisist. and based on their score,i can say that for all users, or just fora specific group. if the score is in risk,if the sign enroll is,
score is medium and above, orhigh and above, do something. so, my rule here is that,if the request, the event is medium risk then require mfamultifactor authentication. i would say, block the users,i would say, require password reset but i warned you, i know thatthese tools are exciting. but let me tell you something,aphrodite, when she sees this thing,once she reports, this is great butthis is down time people, right? this is down time, you are happybecause and i'm happy, too,
because we use the tools and weprotect her but this is down time. so use these powerful tools wiselyand in order to help you to be wise. we have also, in that policy,something great that says, if you are using this policy, pleasesee how many will be affected. so if you have 10,000 users and fromthe moment you apply that policy, you see that 99% of yourusers will be affected. something is wrong with your policy,all your users. >> [laugh]>> fix it first, and then apply a policy that will makethe life of everyone miserable.
it doesn't help, i mean,to love you more. plus, again, remember people,this is down time, okay? so balance between that andthe productivity. and now, i'm going back toclose with a few slides and you are free to go. you can open the doors so look at that,we have a lot of success stories. but i want to point out unilever,go to that session and you will see how thiscompany have 100,000 users.
and they protect them and they modernize their id withazure active directory. amazing session fromyour peers here. it's a tough team, they managed to bring 100,000 usersto ems with almost no problems. of course, they didn't do that alone, oursuccess team was there next to them. and our success team is here andit will be there for you if needed. so you are not alone andalso i want you to remember that
everything i said,it has a session for it. this week,every slide i'll show has a session. and of course, there are thingsthat you need to do afterwards. i have more things for you to read. and with that,i want to thank you very much for being a great audience, thank you. >> [applause]