Best Practices for Azure AD Hybrid Organizations

[MUSIC PLAYING] Hello, everybody. Thank you for joining. My name is Jorge Lopez. I'm a senior product Manager at Microsoft and I'm part of the Identity Division. So part of my work is actually build Azure AD features and products. Today, I'm here to talk to you about best practices for hybrid identity organizations that you're going to take advantage of, especially if you have cases where you still have on premises resources and features in Azure AD that you want to take advantage. First of all, I'm going to walk you through some of the overview and the agenda that I'm going to talk to you today. So first, we're going to do a quick recap on what a hybrid identity organization means. And then, I'm going to walk you through some of the scenarios and best practices that we have, basically, for three main pillars, which is users, apps, and devices. To begin with, let's put ourselves a little bit in maybe 10 years ago. What you're seeing right now is a very typical topology infrastructure environment for those hybrid identity organizations where you're going to have an on premises active directory forests, maybe multiple forests. Some Kerberos applications, header base applications, internet servers, and employees accessing all of these applications from corporate devices within the same network. Some organizations may actually have a little bit more modern applications based on SAML protocols and federation servers. Because of the challenges that these organizations started having at some point, most of these organizations, they started deploying DMCs with virtual private networks, or VPNS. And that was basically to provide access to remote employees. Employees that were in the field, external vendors, partners, and suppliers with different organizations. And with all of the different modernization of the applications, a lot of vendors and a lot of third party apps, they started deploying what we call SAS apps, or Software As a Service apps, which means applications like Box, Salesforce, ServiceNow started deploying all of these different platforms that were actually born in the cloud. With that, there were some challenges coming from all of these organizations where, how do my users start accessing these apps? So unfortunately, a lot of organizations were actually doing-- creating separate username and passwords for these applications. That meant that, basically, a lot of the users were creating n number of accounts-- x number of accounts, with probably the same password. And that's, as you may know, it's not really the best practice. One of the other challenges that we had at that time is because the separation of identities, right? So if I had a partner or a supplier that needed access to one of my applications on premises, but I don't want to mix up my corporate identities with my partner identity. So they were creating all their forests sitting on the DMZ. Maybe now that doesn't really sounds like the great idea. But at that time, it was probably the only way to make it work. As time started going on, we, of course, Microsoft, develop and deployed Office 365. And with that, we came up with Azure Active Directory, which is basically a presence of your on premises identities in the cloud. So basically, a representation of those identities, whether you're maybe creating cloud only users or synchronizing them from on premises you see naturally connect, as you may know. So what you're seeing right here is, like I said, a typical topology for a hybrid organization. So as you can tell, this is where we actually base our recommendation, which is at the top, or applications, in the middle or devices. And at the bottom, of course, the users where-- most of the recommendations that I'm going to talk to you about today are based on the users, but I also have a few things about devices and applications. So let's start with the users. And one of the main things that I like to say is that a lot of organizations are still stuck in recommendations and guidance for almost 20 years, right? NIST in 2004 came out with the very first password recommendations approach, which is eight characters minimum, uppercase, lowercase, complex passwords, change it regularly. And that's been, like I said, 2004. It's been a lot of time now. And one of my recommendations is organizations needs to start thinking about updated guidance, right? So even NIST, in 2017, came out with another guidance that says, use easy to remember phrases. And only change your password if you think that it has been compromised. We, at Microsoft, also recommend to follow aka.ms password guidance, which is our own guidance as well, that follow some of the NIST guidelines, too. And mainly, it's just, basically, that passwords by themselves are not enough protection anymore. And if you're familiar with Azure AD password protection, it's one of those features that I keep talking about that we have in the cloud that you can extend to your on premises environment, especially if you do it in hybrid mode. And one of the main things that you've been probably hearing from Microsoft a lot lately, evaluate password solutions. And that's some of the other things that we've been recommending because we do have some things that you can do today to implement passwordless. And we can provide you some deployment plans on all of the other things that you can look in the near future for your passwordless needs. Something that you're hearing a lot and we are not going to get tired of saying it, please enable MFA. Some of the number shows us that a lot-- around 26% of the users population are not using any sort of MFA. We're going to talk about the authentication methods in some of the next slides. But please enable MFA. It's super important for your security approach. When we talk about MFA, of course, and authentication methods, we need to discuss that