Microsoft Enterprise Mobility Suite (EMS) – Identity + Access Management (IAM)

The growth of mobile devices such as smartphones and tablets changed the world rapidly. Most notably business users store important information on their devices such as emails,certificates, pictures, corporate apps and applications, etc. Maintaining control over their applications across corporate datacenters and public cloud platforms has become a significant challenge. IAM helps organizations to reduce helpdesk costs with self-service and single-sign-on experiences.

EMS – Enterprise Mobility Suite was introduced in the end of 2014. There is no specific product for EMS, it’s a collection of services you can choose.

Currently EMS contains the following services:

–          Cloud Identity + Access Management: gives users self-service capabilities and single sign-on for any corporate resource for easier identity management – for cloud-only and hybrid identities.

–          Mobile Device + Application Management: mobile device management, such as MDM in Office 365 and Intune to manage and protect corporate data and apps on almost any device.

–          Information Protection: information security management across on-premises environment and cloud applications while protecting corporate data inside and outside of the organization.

–          Desktop Virtualization: a scalable platform to deliver corporate applications simply and cost effectively – everywhere.

To use the entire lineup of these features, Azure Active Directory Premium is necessary

Of course also in hybrid scenarios you can use AD FS with every other application which supports SAML 2.0 (Security Assertion Markup Language)-base claims authentication, WS-Federation, or OpenID Connect to achieve single-sign-on. In this article we configure application access and single-sign-on with Azure Active Directory for cloud-based identities.

Azure Active Directory enables easy integration to many popular SaaS apps, such as Salesforce, Office 365, Dropbox for Business, Twitter, etc. Single-sign-on brings the ability to use one corporate account and use many other business applications by signing in only once using a single user account. Azure Active Directory supports three different authentication methods to access applications:

–          Federated Single Sign-On: instead of prompting for username and password, the application enables redirect to Azure Active Directory for user authentication by using the user account information from Azure Active Directory.

–          Password-based Single Sign-On: relies on a browser extension or mobile app to securely retrieve the application and user information from Azure Active Directory by using the user account information from the third-party SaaS application. Passwords are stored securely in Azure Active Directory.

–          Existing Single Sign-On: enables users to log on to the SaaS application using their Azure Active Directory account information, using AD FS or another third-party single sign-on provider and enables these applications to be linked to the Office 365 or Azure Active Directory access panel portals plus additional reports about that application when launched from Azure Active Directory.

Let’s start with the activation of Azure Active Directory Premium for the specific user account from the old Azure Active Directory portal.

On the left hand side, click on Active Directory and choose your Active Directory subscription name:

Image 1

Click on LICENSES, choose Azure Active Directory Premium and assign the license to a user:

Image 2

This enables full support and configuration for identity and access management with Azure Active Directory – whether hybrid and/or cloud-based identity.

In the next step, switch to APPLICATIONS. As you can see in the following screenshot, there are already some applications present, depending on your SaaS applications and Office 365 subscriptions:

Image 3

Now let’s add an additional application from the gallery. There are currently more than 2,500 SaaS applications present. After you click on ADD, the following new window appear:

Image 4

Image 5

I picked up Twitter in my example for my private Twitter Account:

Image 6

As you can see in the above screenshot, I already configured single sign-on for this application. You can choose between two options:

–          Password Single Sign-On

–          Existing Single Sign-On

Image 7

In this example we’re using a cloud-based identity only with no third-party single sign-on provider or hybrid configurations. So password single sign-on was choose.

The next step is to assign accounts to the Twitter application from your Microsoft Azure Active Directory:

Image 8

Because this is my private Twitter account, I’m able to enter the credentials on behalf of the user.

Enabling automatic password rollover will automatically update the password for this account at the frequency you define. Once enabled, the application should be accessed exclusively using the access panel or the single sign-on link specific for this application, as you can see in the following screenshot. During each password update, the password is updated using a randomly generated 16-character complex string:

Image 9

After a couple of seconds later, the Twitter application with the specific account was configured for single sign-on over the access panel portal. Of course you can configure multi-factor authentication and location based access rules for you applications and allow self-service access to applications:

Image 10

Now let’s access the access panel and test our recently configured single sign-on feature for the Twitter application with Microsoft Azure Active Directory. Browse to URL and log-in with your Azure Active Directory user information:

Image 11

Click on your newly installed Twitter application. A new tab will be opened and you’re automatically signed-in.

You can use this or other SaaS applications in a similar way to provide corporate single sign-on for your users instead of having multiple accounts for multiple applications – whether on-premises and/or cloud.

About the Author: Dominik

Dominik Hoefling is a Consultant in Microsoft technologies specialising in Microsoft Exchange, Exchage Online and Office 365. Dominik works for German consulting company “atwork deutschland GmbH” which is a part of the Austrian atwork information technology company. Dominik designs and builds message infrastructures and troubleshoots Microsoft technologie issues. He has numerous Microsoft certifications including MCSA for Office 365, MCITP for Exchange Server 2010, MCSE Messaging (Exchange Server 2013), and MCITP Enterprise Administrator for Windows Server 2008 / 2008 R2.

Follow Dominik on Twitter: @DominikHoefling


Share this on...

Rate this Post: