Desktop, tablet and smartphone with app icons.

Protect your business with identity and access management in the cloud

Get single sign-on to thousands of cloud apps and access to web apps that you run on-premises with Azure Active Directory Premium. Built for ease of use, Azure Active Directory management tools enable collaboration and deliver holistic identity protection and adaptive access control.

Business case

Technical overview

Benefits of Active Directory

Single sign-on to any cloud and on-premises web app

Azure Active Directory provides secure single sign-on to cloud and on-premises applications including Microsoft Office 365 and thousands of SaaS applications such as Salesforce, Workday, DocuSign, ServiceNow, and Box.

See more supported SaaS apps

Easily extend Active Directory to the cloud

Connect Active Directory and other on-premises directories to Azure Active Directory in just a few clicks and maintain a consistent set of users, groups, passwords, and devices across both environments.

Connect on-premises directories with Azure

Works with iOS, Mac OS X, Android and Windows devices

Users can launch applications from a personalized web-based access panel, mobile app, Office 365, or custom company portals using their existing work credentials—and have the same experience whether they’re working on iOS, Mac OS X, Android and Windows devices.

Protect sensitive data and applications

Enhance application access security with unique identity protection capabilities that provide a consolidated view into suspicious sign-in activities and potential vulnerabilities. Take advantage of advanced security reports, notifications, remediation recommendations and risk-based policies to protect your business from current and future threats.

Protect on-premises web applications with secure remote access

Access your on-premises web applications from everywhere and protect with multi-factor authentication, conditional access policies, and group-based access management. Users can access SaaS and on-premises web apps from the same portal.

Reduce costs and enhance security with self-service capabilities

Delegate important tasks such as resetting passwords and the creation and management of groups to your employees. Providing self-service application access and password management through verification steps can reduce helpdesk calls and enhance security.

Enterprise scale and SLA

Azure Active Directory Premium offers enterprise-grade scale and reliability. As the directory for Office 365, it already hosts hundreds of millions of users and handles billions of authentications every day. The high availability service is hosted in globally distributed datacenters in 17 regions, with worldwide technical support that provides a 99.9% SLA.

Azure Active Directory applications: New apps

Boost mobile productivity with secured access to applications

Using Azure Active Directory Premium, Bristow Group provided its helicopter pilots and support crews—a highly mobile workforce—easier access to critical enterprise applications, both on-premises and in the cloud.

Read the case study

Save time with simplified identity management

Royal Dutch Shell chose Azure Active Directory to simplify identity management for vendors and employees. Now the company provides fast, secured access to external vendors, cutting onboarding time from months to less than a week.

Read the case study

AZURE ACTIVE DIRECTORY TEAM BLOG

Visit the blog

<?xml version="1.0" encoding="UTF-8"?><rss version="2.0" xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:wfw="http://wellformedweb.org/CommentAPI/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:sy="http://purl.org/rss/1.0/modules/syndication/" xmlns:slash="http://purl.org/rss/1.0/modules/slash/" > <channel> <title>Azure Active Directory – Enterprise Mobility and Security Blog</title> <atom:link href="https://blogs.technet.microsoft.com/enterprisemobility/feed/?product=azure-active-directory" rel="self" type="application/rss+xml" /> <link>https://blogs.technet.microsoft.com/enterprisemobility</link> <description>The most recent news and updates about Microsoft’s Enterprise Mobility offerings and events for enterprise technology professionals and developers.</description> <lastBuildDate>Wed, 26 Apr 2017 17:00:21 +0000</lastBuildDate> <language>en-US</language> <sy:updatePeriod>hourly</sy:updatePeriod> <sy:updateFrequency>1</sy:updateFrequency> <item> <title>Demonstrating our Growth Mindset & Learning from our Customers: We’re reverting the branding logic on Azure AD login pages</title> <link>https://blogs.technet.microsoft.com/enterprisemobility/2017/04/25/having-a-growth-mindset-learning-from-our-customers-were-reverting-the-branding-logic-on-azure-ad-login-pages/</link> <comments>https://blogs.technet.microsoft.com/enterprisemobility/2017/04/25/having-a-growth-mindset-learning-from-our-customers-were-reverting-the-branding-logic-on-azure-ad-login-pages/#respond</comments> <pubDate>Wed, 26 Apr 2017 00:26:09 +0000</pubDate> <dc:creator><![CDATA[Alex_SimonsMS]]></dc:creator> <category><![CDATA[Uncategorized]]></category> <guid isPermaLink="false">https://blogs.technet.microsoft.com/enterprisemobility/?p=51035</guid> <description><![CDATA[Howdy folks, Back on April 7th we announced changes to the branding logic for Azure AD login pages. In the 18 days since then we’ve learned a ton from you, our customers, including the fact that many of you are not thrilled with these changes. Additionally, we learned that we took many you by surprise <a class="read-more" href="https://blogs.technet.microsoft.com/enterprisemobility/2017/04/25/having-a-growth-mindset-learning-from-our-customers-were-reverting-the-branding-logic-on-azure-ad-login-pages/">Continue reading</a>]]></description> <content:encoded><![CDATA[Howdy folks,
Back on April 7th <a href="https://blogs.technet.microsoft.com/enterprisemobility/2017/04/07/improving-the-branding-logic-of-azure-ad-login-pages/">we announced changes to the branding logic for Azure AD login pages</a>. In the 18 days since then we’ve learned a ton from you, our customers, including the fact that many of you are not thrilled with these changes. Additionally, we learned that we took many you by surprise and did not give you enough time to alert and train your employees about the change.
So today we get to demonstrate our Growth Mindset! We’ve learned from your feedback and we’ve decided to roll back these changes (they are being reverted as I type). We’re going to revisit the overall here plan and take steps to better socialize and communicate future end-user facing UX changes. Ariel Gordon the PM for these features has the details below.
Thanks to all of you who shared your feedback with us about these changes. We learned a lot from you and we’ll use these lessons to improve going forward.
Best regards,
Alex Simons (Twitter: <a href="https://twitter.com/Alex_A_Simons">@Alex_A_Simons</a>)
Director or Program Management
Microsoft Identity Division
———————–
Hi everyone,
Earlier this month we changed the logic that controls app vs. company branding on Azure AD login pages. These changes had two key motivations: provide better brand awareness to customers using B2B flows, and reconcile the branding logic between Azure AD and Microsoft accounts, as a prerequisite to merging the two login experiences later this year.
And while we tested and validated the new logic with many customers, we underestimated the impact of these changes to the broader community. You’ve also told us that these changes had disrupted your business because we failed to provide advanced notice.
We’re heard you loud and clear. We’ve therefore decided to rollback these changes, effective immediately. We’re also making changes to our engineering and communication process to ensure this doesn’t happen again. Specifically, our team is making the following commitments:
<ol>
<li>Future login UX change that affect business customers will be announced ahead of time</li>
<li>Changes will be tested via flighting, and incorporate a Preview period that allows us to gather broader feedback from you</li>
<li>For most disruptive design changes, we’ll introduce an opt-in period of at least 30 days, giving everyone a chance to update their support and training materials</li>
</ol>
Best regards,
Ariel Gordon, Principal Program Manager, Identity Division <a href="https://twitter.com/askariel">(@askariel</a>)
]]></content:encoded> <wfw:commentRss>https://blogs.technet.microsoft.com/enterprisemobility/2017/04/25/having-a-growth-mindset-learning-from-our-customers-were-reverting-the-branding-logic-on-azure-ad-login-pages/feed/</wfw:commentRss> <slash:comments>0</slash:comments> </item> <item> <title>#AzureAD Mailbag: Azure AD App Proxy, Round 2</title> <link>https://blogs.technet.microsoft.com/enterprisemobility/2017/04/21/azuread-mailbag-azure-ad-app-proxy-round-2/</link> <comments>https://blogs.technet.microsoft.com/enterprisemobility/2017/04/21/azuread-mailbag-azure-ad-app-proxy-round-2/#respond</comments> <pubDate>Fri, 21 Apr 2017 16:00:22 +0000</pubDate> <dc:creator><![CDATA[Mark Morowczynski [MSFT]]]></dc:creator> <category><![CDATA[Uncategorized]]></category> <category><![CDATA[Mailbag]]></category> <category><![CDATA[SaaS]]></category> <guid isPermaLink="false">https://blogs.technet.microsoft.com/enterprisemobility/?p=50057</guid> <description><![CDATA[Hey everyone, Ian Parramore here. Long time no post for us on these mailbags. You might be wondering what happened and why we didnt have a post for almost 2 months. I can tell you who is to blame, Mark. Now that we got that out of the way. Today were going to dive in <a class="read-more" href="https://blogs.technet.microsoft.com/enterprisemobility/2017/04/21/azuread-mailbag-azure-ad-app-proxy-round-2/">Continue reading</a>]]></description> <content:encoded><![CDATA[Hey everyone, Ian Parramore here. Long time no post for us on these mailbags. You might be wondering what happened and why we didnt have a post for almost 2 months. I can tell you who is to blame, <a href="https://twitter.com/markmorow">Mark</a>. Now that we got that out of the way. Today were going to dive in a little bit on some of the most common questions weve seen around the Azure AD Application Proxy. For those of you not familiar with this awesome feature, Application Proxy provides single sign-on (SSO) and secure remote access for web applications hosted on-premises. These on-premises web applications can now be integrated with Azure AD, allowing your end users to access your on-premises applications the same way they access O365 and other SaaS apps integrated with Azure AD. You don’t even need to change the network infrastructure or require a VPN to provide this solution for your users. To learn more about Application Proxy and how to get started, see our <a href="https://docs.microsoft.com/en-us/azure/active-directory/active-directory-application-proxy-get-started">documentation</a>. Now lets dig into some of your questions.
 
Question 1:
Im trying to setup Kerberos constrained delegation as discussed in <a href="https://azure.microsoft.com/en-us/documentation/articles/active-directory-application-proxy-sso-using-kcd/">this article</a> but am struggling to understand the PrincipalsAllowedToDelegateToAccount method. Do you have some more insights you can share on this?
 
Answer 1:
PrincipalsAllowedToDelegateToAccount is specifically used where the Connector servers are in a different domain to the web application service account and requires the use of Resource-based Constrained Delegation.
 
If the Connector servers and the web application service account are in the same domain then you can use the Active Directory Users and Computers to configure the delegation settings on each of the Connector machine accounts to allow them to delegate to the target SPN.
 
If the Connector servers and the web application service account are in different domains then we need to use Resource based delegation where the delegation permissions are configured on the target web server / web application service account.
This is a relatively new method of Constrained Delegation introduced in Windows Server 2012 which supports cross-domain delegation by allowing the resource (web service) owner to control which machine/service accounts are allowed to delegate to it. There is no UI to assist with this configuration so we need to use PowerShell.
 
Each Azure AD Application Proxy Connector machine account needs to be granted permissions to delegate to the web application service account.
When validating your configuration you can check the PrincipalsAllowedToDelegateToAccount setting using the following PowerShell:-
Get-ADUser -Identity sharepointserviceaccount -Properties “PrincipalsAllowedToDelegateToAccount”
 
The following output shows 2 machine accounts with permissions to delegate to the sharepointserviceaccount corresponding to our 2 Connector servers:
 
<a href="https://msdnshared.blob.core.windows.net/media/2017/03/image812.png"><img width="2702" height="128" title="image" style="padding-top: 0px;padding-left: 0px;padding-right: 0px;border: 0px" alt="image" src="https://msdnshared.blob.core.windows.net/media/2017/03/image_thumb760.png" border="0" /></a>
 
If one or more of your Connector servers do not have permissions to delegate to the target web application service account then you will see errors similar to the following:
<a href="https://msdnshared.blob.core.windows.net/media/2017/03/image813.png"><img width="1147" height="1056" title="image" style="padding-top: 0px;padding-left: 0px;padding-right: 0px;border: 0px" alt="image" src="https://msdnshared.blob.core.windows.net/media/2017/03/image_thumb761.png" border="0" /></a>
 
In the article you’ll see the following sample PowerShell commands:
$connector= Get-ADComputer -Identity connectormachineaccount -server dc.connectordomain.com
Set-ADUser -Identity sharepointserviceaccount -PrincipalsAllowedToDelegateToAccount $connector
 
This is fine but will only set one Connector with delegation rights to the sharepointserviceaccount.
If you only specify one of two Azure AD App Proxy connectors, access to the app will only succeed if traffic is routing through that connector.
 
Where you have more than one Connector the first command would ideally look something like this:
$connectors = Get-ADComputer -filter {name – like “*appproxyname*”} -server dc.connectordomain.com
 
This command assumes the connectors have a similar name and that the wildcards will return more than one computer account. For example, in my environment I have two connectors, MSFTPM-AAP1 and MSFTPM-AAP2. So I would run:
$connectors = Get-ADComputer -filter {name – like “*aap*”} -server dc.connectordomain.com
 
This returns both servers and sets them in the $connectors variable. I can then run the second command to set the attribute appropriately on my resource server:
Set-ADUser -Identity sharepointserviceaccount -PrincipalsAllowedToDelegateToAccount $connectors
 
We can then use the following PowerShell to re-validate the setting:
Get-ADUser -Identity sharepointserviceaccount -Properties “PrincipalsAllowedToDelegateToAccount”
Note the above examples are using Set-AdUser/Get-AdUser when getting/setting the PrincipalsAllowedToDelegateToAccount attribute. This is because the web application is running under a service account.
 
If the web application was running under a machine context we would need to use Set-AdComputer/Get-AdComputer. This may be relevant in a test environment with only a single web server but in a load balanced web server deployment we would expect the services to be running under a common service account.
 
When populating the $connectors variable we will always use Get-AdComputer as we are specifically interested in the Connector machine accounts.
 
For further information about Kerberos Constrained Delegation and Resource-based Constrained Delegation please see the following whitepaper <a href="http://aka.ms/kcdpaper">http://aka.ms/kcdpaper</a>
 
Question 2:
Should I create a dedicated account to register the connector with the Azure AD Application Proxy?
 
Answer 2:
There’s no reason to. Any global admin account will work fine. The credentials entered during installation are not used after the registration process. Instead, a certificate is issued to the connector which will be used for authentication from that point forward. You can see this certificate in the personal store of the computer account:
<a href="https://msdnshared.blob.core.windows.net/media/2017/03/image814.png"><img width="1392" height="154" title="image" style="padding-top: 0px;padding-left: 0px;padding-right: 0px;border: 0px" alt="image" src="https://msdnshared.blob.core.windows.net/media/2017/03/image_thumb762.png" border="0" /></a>

Question 3: 
How can I monitor the performance of the Azure AD Application Proxy connector?

Answer 3: 
There are Performance Monitor counters that are installed along with the connector. To view them do the following:
1. Start -> Type “Perfmon” -> Enter
2. Select Performance Monitor and click the green “+” icon:
<a href="https://msdnshared.blob.core.windows.net/media/2017/03/image815.png"><img width="1202" height="244" title="image" style="padding-top: 0px;padding-left: 0px;padding-right: 0px;border: 0px" alt="image" src="https://msdnshared.blob.core.windows.net/media/2017/03/image_thumb763.png" border="0" /></a>
3. Select and add the Microsoft AAD App Proxy Connector counters:
<a href="https://msdnshared.blob.core.windows.net/media/2017/03/image816.png"><img width="1281" height="882" title="image" style="padding-top: 0px;padding-left: 0px;padding-right: 0px;border: 0px" alt="image" src="https://msdnshared.blob.core.windows.net/media/2017/03/image_thumb764.png" border="0" /></a>
 
Question 4: 
Can only IIS-based apps be published? What about web apps running on non-Windows web servers? Does the connector have to be installed on a server with IIS installed?
 
Answer 4: 
Woah, this is a 3 for 1!
 No there is no IIS requirement for apps that are published.
 Yes you can publish web apps running on servers other than Windows Server. Having said that, you may or may not be able to use pre-authentication with a non-Windows Server depending on if the web server supports Negotiate (Kerberos authentication).
The server the connector is installed on does not have to have IIS installed.
 
Question 5: 
Does the Azure AD App Proxy connector have to be on the same subnet as the resource?
 
Answer 5:
There is no requirement for the connector to be on the same subnet. It does however need name resolution to the resource as well as the necessary network connectivity (routing to the resource, ports open on the resource, etc.). If you want a more detailed discussion on connector location, please see <a href="https://blogs.technet.microsoft.com/applicationproxyblog/2016/08/16/network-topology-considerations-when-using-azure-ad-application-proxy/">our blog</a>.
 
Question 6: 
Ive published the App Proxy application, and Im able to log in, but the application is not displaying as expected. Why isnt it working?
 
Answer 6: If youre able to login and the application isnt displaying properly, there are two common possible causes.
Please verify that all the pages referenced by the application are in the path you published. For example, we see many cases where the published path is contoso/myapp/register/, but the web page has references to resource under different paths e.g. conotoso/myapp/style.css. Because the path containing the style page has not been published, the application is unable to find it when loading.
One way to check if this may be the problem is to look at a Fiddler trace or use the Network tab in the F12 Developer tools in Internet Explorer or Edge browsers to get an overview of the request/response pairs and associated HTTP status codes as you load a web page. You can use the output to identify if you are getting any 404 errors, and if so, whether the resources with the 404 errors are in the published path.
 
In the above example, publishing contoso/myapp/ instead of contoso/myapp/register/ would solve the problem.
 
Also, make sure to check if your application uses hard-coded internal links to either other applications or unpublished sites or, for its own internal namespace.
 
This can be problematic where the internal and external FQDNs in use are different and the web server generates links based on its internal name. Our general recommendation is to use the same internal and external FQDN and protocol (validate that both are the same https is preferred, http is allowed) where possible to reduce the chance of any problems.
 
For sites that contain links to other internal sites or applications, you would need to identify these and then ensure the relevant applications and sites are also published and available externally through Application Proxy. If these links are fully qualified, please use the <a href="https://docs.microsoft.com/en-us/azure/active-directory/active-directory-application-proxy-custom-domains">custom domains feature</a> to make sure these links will work. If not, look for an upcoming announcement in the coming months on some new Application Proxy capabilities in this area.! Please check the <a href="https://blogs.technet.microsoft.com/enterprisemobility/">Enterprise Mobilty and Security blog</a> for announcements.
 
You can use a tool such as Fiddler to review the traffic and identify request failures with a 404 status. You can also use the Network tab in the F12 Developer tools in Internet Explorer or Edge browsers to get an overview of the request/response pairs and associated HTTP status codes as you load a web page.
 
Thanks for reading.
 
For any questions you can reach us at 
<a>AskAzureADBlog@microsoft.com</a>, the <a href="https://social.msdn.microsoft.com/Forums/azure/en-US/home?forum=WindowsAzureAD">Microsoft Forums</a> and on Twitter <a href="https://twitter.com/AzureAD">@AzureAD</a>, <a href="https://twitter.com/markmorow">@MarkMorow</a> and <a href="https://twitter.com/Alex_A_Simons">@Alex_A_Simons</a>
 
-Ian Parramore, Harshini Jayaram, and Mark Morowczynski
]]></content:encoded> <wfw:commentRss>https://blogs.technet.microsoft.com/enterprisemobility/2017/04/21/azuread-mailbag-azure-ad-app-proxy-round-2/feed/</wfw:commentRss> <slash:comments>0</slash:comments> </item> <item> <title>Extend cloud identity and access management to your customer and partner relationships</title> <link>https://blogs.technet.microsoft.com/enterprisemobility/2017/04/12/extend-cloud-identity-and-access-management-to-your-customer-and-partner-relationships-2/</link> <pubDate>Wed, 12 Apr 2017 16:00:59 +0000</pubDate> <dc:creator><![CDATA[Andrew Conway]]></dc:creator> <category><![CDATA[Uncategorized]]></category> <guid isPermaLink="false">https://blogs.technet.microsoft.com/enterprisemobility/?p=50525</guid> <description><![CDATA[Organizations are transforming how they operate in a digital world. This means seizing new opportunities quickly, reinventing business processes, and delivering greater value to customers.]]></description> <content:encoded><![CDATA[Organizations are transforming how they operate in a digital world. This means seizing new opportunities quickly, reinventing business processes, and delivering greater value to customers. More important than ever are the strong and trusted relationships with the whole ecosystem in which an organization operates. This includes business partners, contractors, and of course customers. While business-to-business (B2B) and business-to-consumer (B2C) interactions may be different, sustaining both requires information security combined with intuitive user experiences.
As your network of B2B and B2C connections grows online, securing them across on-premises, cloud, and hybrid scenarios becomes more of a challenge. A secure identity platform is critical to support this growth and to enable digital business securely. With this goal in mind, today we announce two important extensions in the capability of Microsoft Azure Active Directory.
<h2>Azure Active Directory B2B collaboration now generally available</h2>
Businesses are increasingly dispersed, mobile, and collaborative, relying on wide range of vendors, partners, and contractors to stay nimble and capitalize on changing markets. Azure Active Directory (AD) is the foundation of our identity-driven approach to security and extends beyond your own employees to secure the identities of external collaboratorspartners, contractors, and vendors. Our goal is to make it easy and secure to collaborate with the employees of any organization. Azure AD B2B collaboration is generally available today and is part of Microsoft Enterprise Mobility + Security (EMS).
B2B collaboration provides external user accounts with secure access to documents, resources, and applicationswhile maintaining control over internal data. Theres no need to add external users to your directory, sync them, or manage their lifecycle; IT can invite collaborators to use any email addressOffice 365, on-premises Microsoft Exchange, or even a personal address (Outlook.com, Gmail, Yahoo!, etc.)and even set up conditional access policies, including multi-factor authentication. Your developers can use the Azure AD B2B APIs to write applications that bring together different organizations in a secure wayand deliver a seamless and intuitive end user experience.
Millions of users from thousands of businesses have already been using Azure AD B2B collaboration capabilities available through public preview.
<blockquote>As early adopters of Azure AD B2B collaboration, we used this service to provide a simple and secure way for partners, large and small, to use their own credentials to access Kodak Alaris systems. The latest enhancements are interesting, and we plan to use the invitation manager API in our Partner Relationship Management portal for a more customized guest onboarding/provisioning experience. The Azure AD team has been an incredible partner in our re-creation of a more agile and cost-effective hybrid cloud IT infrastructure. Steve Braunschweiger, Chief Enterprise IT Architect Kodak Alaris</blockquote>
<h3>Heres how you can get started with Azure Active Directory B2B collaboration:</h3>
<ul>
<li>Watch this <a href="https://aka.ms/b2bmechanics">Mechanics Video</a> to see the benefits of cloud-based B2B identity and access management</li>
<li>Read more details from the <a href="https://aka.ms/b2bcollabblog">Azure AD B2B team blog</a></li>
<li>Get started with <a href="https://docs.microsoft.com/en-us/azure/active-directory/active-directory-b2b-admin-add-users">Azure Active Directory B2B collaboration</a></li>
</ul>
<h2>Azure Active Directory B2C now available in Europe</h2>
Another important audience within most enterprise ecosystems are the customers who trust your business with their own sensitive personal and financial information. Azure Active Directory B2C enables organizations to securely connect with their customers at scale. Today, Azure AD B2C is generally available in Europe. Azure AD B2C is a highly available, global identity and access management service for your consumer-facing applications. It scales to hundreds of millions of protected identities, integrates easily with nearly any platform on any device, and includes optional multi-factor authentication for additional protection. Your consumers will be able to use existing social media accounts or create new credentials for single sign-on access to your applications through a fully customizable experience.
Organizations now have the option to use Azure AD B2C tenants that operate and store data only in European datacenters. For all other regions, Azure AD B2C is available through the North American or European datacenters.
<h3>Heres how you can get started with Azure Active Directory B2C:</h3>
<ul>
<li>Watch <a href="https://youtu.be/ASC7CG4XMq8">this video</a> to see the benefits of cloud-based consumer identity and access management</li>
<li>Read more details from the <a href="https://aka.ms/azureadb2ceu">Azure AD B2C team blog</a></li>
<li>Get started with <a href="http://azure.microsoft.com/trial/get-started-aad-b2c/">Azure AD B2C</a> in your consumer app</li>
</ul>
As companies adopt a cloud-first position to take advantage of increased agility and faster innovation, like B2B and B2C, we recognize that cloud-first doesnt mean cloud-only. <a href="https://blogs.technet.microsoft.com/hybridcloud/2017/04/12/consistency-is-the-cure-for-hybrid-cloud-complexity/">As we announced today</a>, we make it easy for customers to maximize their existing investments to adopt cloud. A hybrid approach is a strategic plan for businesses financially, for security, and for their identities and applications.
]]></content:encoded> </item> <item> <title>Azure AD B2B Collaboration is Generally Available!</title> <link>https://blogs.technet.microsoft.com/enterprisemobility/2017/04/12/azure-ad-b2b-collaboration-is-generally-available/</link> <pubDate>Wed, 12 Apr 2017 16:00:57 +0000</pubDate> <dc:creator><![CDATA[Alex_SimonsMS]]></dc:creator> <category><![CDATA[Uncategorized]]></category> <category><![CDATA[B2B]]></category> <category><![CDATA[Cloud]]></category> <category><![CDATA[Conditional Access]]></category> <category><![CDATA[SaaS]]></category> <guid isPermaLink="false">https://blogs.technet.microsoft.com/enterprisemobility/?p=50485</guid> <description><![CDATA[Howdy folks, This is a blog post I’ve been as eager to publish as I suspect you’ve been eager to read it. I’m excited to let you know that Azure AD business-to-business (B2B) collaboration is generally available worldwide! Azure AD B2B collaboration capabilities enable any organization using Azure AD to work safely and securely with <a class="read-more" href="https://blogs.technet.microsoft.com/enterprisemobility/2017/04/12/azure-ad-b2b-collaboration-is-generally-available/">Continue reading</a>]]></description> <content:encoded><![CDATA[Howdy folks, 

This is a blog post I’ve been as eager to publish as I suspect you’ve been eager to read it. I’m excited to let you know that Azure AD business-to-business (B2B) collaboration is generally available worldwide! 

Azure AD B2B collaboration capabilities enable any organization using Azure AD to work safely and securely with users from any other organization, small or large, with or without Azure AD, & with or without an IT organization. 

Organizations using Azure AD can provide their B2B partners access to documents, resources, and applications while maintaining control over corporate data. Developers can use the Azure AD B2B APIs to write applications that bring two organizations together in a secure way that is also seamless and intuitive for end users to navigate. 

Customer demand for these capabilities is sky high! Already during the public preview, customers have invited 2.6M guest users using these new capabilities. <img class="aligncenter" alt="" src="https://msdnshared.blob.core.windows.net/media/2017/04/041117_0246_AzureADB2BC1.png" /> 

And more than 20% of Azure AD Tenants with >10 users are now using Azure AD B2B!: 

 
<img class="aligncenter" alt="" src="https://msdnshared.blob.core.windows.net/media/2017/04/041117_0246_AzureADB2BC2.png" /> 

We have spent thousands and thousands of hours with these customers diving into how we can best serve their needs with Azure AD B2B. 

I’d like to thank all of you who spent time with us providing feedback and suggestions. We would not have reached this point without your partnership. 

Now you can dive in and use Azure AD B2B in your organization! Here are a few of highlights of the things you can do now: 

Easily add B2B users to your organization: 

<img class="aligncenter" alt="" src="https://msdnshared.blob.core.windows.net/media/2017/04/041117_0246_AzureADB2BC3.png" /> 

Enable your collaborators to bring their own identity to work with you: 

<img class="aligncenter" alt="" src="https://msdnshared.blob.core.windows.net/media/2017/04/041117_0246_AzureADB2BC4.png" /> 

Delegate to application and group owners so they can add B2B users directly to any of the thousands of apps that work with Azure AD: 

<img class="aligncenter" alt="" src="https://msdnshared.blob.core.windows.net/media/2017/04/041117_0246_AzureADB2BC5.png" /> 

<img class="aligncenter" alt="" src="https://msdnshared.blob.core.windows.net/media/2017/04/041117_0246_AzureADB2BC6.png" /> 

Have consistent authorization policies protecting your corporate content across your employees and partners: 

<img class="aligncenter" alt="" src="https://msdnshared.blob.core.windows.net/media/2017/04/041117_0246_AzureADB2BC7.png" /> 

Use our APIs and sample code to easily build applications to onboard your external partners in ways customized to your organization’s needs: 

<img class="aligncenter" alt="" src="https://msdnshared.blob.core.windows.net/media/2017/04/041117_0246_AzureADB2BC8.png" /> 

With Azure AD B2B collaboration, you can get the full power of Azure AD to protect your partner relationships in a way that end users find easy and intuitive. 

Work with any user from any partner 

<ul>
<li>Partners use their own credentials 
</li>
<li>No requirement for partners to use Azure AD 
</li>
<li>No external directories or complex set-up required 
</li>
</ul>
Simple and secure collaboration 

<ul>
<li>Provide access to any corporate application or resource 
</li>
<li>Seamless user experiences 
</li>
<li>Enterprise-grade security for applications and data 
</li>
</ul>
No management overhead 

<ul>
<li>No external account or password management 
</li>
<li>No sync or manual account lifecycle management 
</li>
<li>No external administrative overhead 
</li>
</ul>
Get started today on <a href="https://portal.azure.com/">the Azure portal</a>. 

Learn More 

There’s far more detail about the new Azure AD B2B Collaboration features in our <a href="https://docs.microsoft.com/en-us/azure/active-directory/active-directory-b2b-what-is-azure-ad-b2b">updated documentation</a>, so take a look and let us know if you have any questions! And if you haven’t seen it yet, check out (below) the latest short video about Azure AD B2B we put together, too. 

<iframe width="560" height="315" src="https://www.youtube.com/embed/AhwrweCBdsc" frameborder="0" allowfullscreen></iframe> 
As always, connect with us for any feedback, discussions and suggestions through our <a target="_blank" href="https://techcommunity.microsoft.com/t5/Azure-Active-Directory-B2B/bd-p/AzureAD_B2b">Microsoft Tech Community</a>. You know we’re listening! 

Best Regards, 
Alex Simons (@Twitter:<a href="https://twitter.com/Alex_A_Simons">@Alex_A_Simons</a>) 
Director of Program Management 
Microsoft Identity Division
]]></content:encoded> </item> <item> <title>End of support for DirSync and Azure AD Sync is rapidly approaching. Time to upgrade to Azure AD Connect!</title> <link>https://blogs.technet.microsoft.com/enterprisemobility/2017/04/10/end-of-support-for-dirsync-and-azure-ad-sync-is-rapidly-approaching-time-to-upgrade-to-aad-connect/</link> <comments>https://blogs.technet.microsoft.com/enterprisemobility/2017/04/10/end-of-support-for-dirsync-and-azure-ad-sync-is-rapidly-approaching-time-to-upgrade-to-aad-connect/#comments</comments> <pubDate>Mon, 10 Apr 2017 16:00:41 +0000</pubDate> <dc:creator><![CDATA[Alex_SimonsMS]]></dc:creator> <category><![CDATA[Uncategorized]]></category> <category><![CDATA[Hybrid]]></category> <guid isPermaLink="false">https://blogs.technet.microsoft.com/enterprisemobility/?p=50106</guid> <description><![CDATA[Howdy folks, On April 13 of last year, we announced the deprecation of “Windows Azure Active Directory Sync (DirSync)” and “Azure Active Directory Sync (Azure AD Sync)” and that it was time to start planning to upgrade to Azure AD Connect. We also announced at the time that DirSync & Azure AD Sync will reach <a class="read-more" href="https://blogs.technet.microsoft.com/enterprisemobility/2017/04/10/end-of-support-for-dirsync-and-azure-ad-sync-is-rapidly-approaching-time-to-upgrade-to-aad-connect/">Continue reading</a>]]></description> <content:encoded><![CDATA[Howdy folks, 

On April 13 of last year, we announced the deprecation of “Windows Azure Active Directory Sync (DirSync)” and “Azure Active Directory Sync (Azure AD Sync)” and that it was time to start planning to upgrade to Azure AD Connect. We also announced at the time that DirSync & Azure AD Sync will reach end of Support on April 13, 2017. Since then, 35,000 customers have successfully upgraded from these deprecated tools to Azure AD Connect that’s what we like to see! 

Today, we are confirming that DirSync and Azure AD Sync will reach end of Support as planned on April 13, 2017. 

I would highly recommend that if you haven’t upgraded to Azure AD Connect, you should do so VERY soon to avoid service disruptions. Azure AD will stop accepting connections from DirSync and Azure AD Sync after December 31, 2017. 

For more information about the DirSync and AAD Sync upgrade, please see the <a href="https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect-dirsync-deprecated">DirSync and Azure AD Sync deprecation documentation</a>. 

If you have any questions or feedback about this change, we’re all ears. Please leave us a comment below or reach on Twitter using the #AzureAD hashtag. 

Best regards, 

Alex Simons (Twitter: <a href="https://twitter.com/Alex_A_Simons">@Alex_A_Simons</a>) 

Director of Program Management 

Microsoft Identity Division 

]]></content:encoded> <wfw:commentRss>https://blogs.technet.microsoft.com/enterprisemobility/2017/04/10/end-of-support-for-dirsync-and-azure-ad-sync-is-rapidly-approaching-time-to-upgrade-to-aad-connect/feed/</wfw:commentRss> <slash:comments>1</slash:comments> </item> <item> <title>We’ve added 21 new 3rd party apps to the Azure AD App Gallery!</title> <link>https://blogs.technet.microsoft.com/enterprisemobility/2017/03/29/weve-added-21-new-3rd-party-apps-to-the-azure-ad-app-gallery/</link> <pubDate>Wed, 29 Mar 2017 14:38:10 +0000</pubDate> <dc:creator><![CDATA[Alex_SimonsMS]]></dc:creator> <category><![CDATA[Uncategorized]]></category> <category><![CDATA[Apps]]></category> <category><![CDATA[Modern Apps]]></category> <category><![CDATA[SaaS]]></category> <category><![CDATA[SSO]]></category> <guid isPermaLink="false">https://blogs.technet.microsoft.com/enterprisemobility/?p=49896</guid> <description><![CDATA[Howdy folks, Many of you probably associate Azure AD with Office 365 & Microsoft Azure. That makes a lot of sense. Those are the cloud services our customers use the most with Azure AD. But you might be surprised to learn that customers use Azure AD with a TON of applications built by 3rd party <a class="read-more" href="https://blogs.technet.microsoft.com/enterprisemobility/2017/03/29/weve-added-21-new-3rd-party-apps-to-the-azure-ad-app-gallery/">Continue reading</a>]]></description> <content:encoded><![CDATA[Howdy folks,
Many of you probably associate Azure AD with Office 365 & Microsoft Azure. That makes a lot of sense. Those are the cloud services our customers use the most with Azure AD.
But you might be surprised to learn that customers use Azure AD with a TON of applications built by 3rd party developers. This is one of our most popular and fastest growing capabilities. This month alone our customers used Azure AD with more than 170,000 3rd party applications!
Given how popular this capability is, I’m excited to announce that working with our ISV partners, we’ve just added 22 new 3rd party apps to the Azure AD app gallery! Let’s take a quick tour of the apps we added.
<img alt="" src="https://msdnshared.blob.core.windows.net/media/2017/03/032917_1431_Wevejustadd3.png" />
HR apps:
<a href="https://azuremarketplace.microsoft.com/en-us/marketplace/apps/aad.firmplay?tab=Overview">FirmPlay: Employee Advocacy for Recruiting</a>manages your employee Advocacy program with powerful software that lets you curate, collect, create, and share employee generated content with prospective talent. <a href="https://www.firmplay.com/">FirmPlay</a> app allows you to easily collect employee insights and turn them into engaging, shareable recruiting content the kind that resonates with top talent.
<a href="https://azuremarketplace.microsoft.com/en-us/marketplace/apps/aad.patheercoach?tab=Overview">Patheer Coach</a> provides the tools for employees to continually grow and develop skills, it also empowers leaders to drive performance. The <a href="https://patheer.com/">Patheer Coach</a> app allows leaders to capture and analyze their talent landscape, such as identifying high-performing employees, forecasting talent and skill capability gaps to build a strong talent pipeline.
<a href="https://azuremarketplace.microsoft.com/en-us/marketplace/apps/aad.pingboard?tab=Overview">Pingboard</a>is the place for everything you need to know about the people you work with. You can quickly build your org chart and share it with your team. Everyone will always know who’s who and who does what. <a href="https://pingboard.com/?utm_source=MSN_SE_NW_US_BRNDED&utm_medium=cpc&utm_campaign=search__-__nw__-__branded&utm_term=ping_board_exm&c1=MSN_SE_NW&source=US_BRNDED&cr2=search__-__nw__-__branded&kw=ping_board_exm&cr5=76347355658954&cr7=c">Pingboard</a> is the employee directory, org chart and out of office calendar. 

<a href="https://azuremarketplace.microsoft.com/en-us/marketplace/apps/aad.planmyleave?tab=Overview">PlanMyLeave</a> is an HRIS and online leave management system designed to scale easily from small to medium businesses to large enterprises. <a href="https://www.bing.com/search?q=PlanMyLeave&qs=n&form=QBLH&pc=BBMU&sp=-1&pq=planmyleave&sc=5-11&sk=&cvid=7448230F89044762BC90C3FD9F336CB0">PlanMyLeave</a> helps you customize leave types and set up complex leave policies for any country. 

Business Management apps: 

<a href="https://azuremarketplace.microsoft.com/en-us/marketplace/apps/aad.cflow?tab=Overview">Cavintek’s Cflow</a> is a cloud-basedbusiness process management app that helps streamline and automate business process in SMBs. <a href="http://www.cavintek.com/">Cflow</a> moves organization from emails and spreadsheets to using business apps and secures all communication. 

<a href="https://azuremarketplace.microsoft.com/en-us/marketplace/apps/aad.contractrebates?tab=Overview">Contract Rebates</a> by Xen Computers Limited managescontractual pricing agreements between indirect customers and wholesalers, providing validataion and payment of rebates together with financial control and reporting capabilities. 

<a href="https://azuremarketplace.microsoft.com/en-us/marketplace/apps/aad.lecorpio?tab=Overview">Lecorpio</a> Intellectual Property Management provides a secure, web-based portal that centrally manages the entire IP lifecycle from the submission of disclosures all the way through to the payment of annuities, and ongoing opposition filings, enforcement actions, arbitration, litigation, contracts, license agreements and more. <a href="http://www.lecorpio.com/company/">Lecorpio</a> is trusted by the world’s most innovative companies. 

Collaboration apps: 

<a href="https://azuremarketplace.microsoft.com/en-us/marketplace/apps/aad.fuze?tab=Overview">Fuze</a>offers unified communication service that enables efficient collaboration at work. <a href="https://www.fuze.com/fuze-reimagined">Fuze</a> combines voice, video, messaging, and content sharing in a single app with great user experience. 

<a href="https://azuremarketplace.microsoft.com/en-us/marketplace/apps/aad.maxxpoint?tab=Overview">MaxxPoint</a> brings together your unified communication apps from West UC with a secure and easy-to-use interface. MaxxPoint app gives you the visibility across your enterprise and the tools to manage your UC services. 

<a href="https://azuremarketplace.microsoft.com/en-us/marketplace/apps/aad.teamwork?tab=Overview">Teamwork Projects</a>is acollaborative project managementapp designed to streamline processes and connect your team. The <a href="https://www.teamwork.com/project-management-software">Teamwork Projects app</a> keeps all your team’s tasks in one place, so your team can collaborate in real time for great results. 

<a href="https://azuremarketplace.microsoft.com/en-us/marketplace/apps/aad.worksmobile?tab=Overview">Works Mobile Chat Service</a>offers business messenger service for users to talk with their contact list freely. Users can easily send photos and videos while talking and can also share contact and location information. <a href="https://line.worksmobile.com/jp/home/talk">Works Mobile</a> is the only business chat to connect with LINE. LINE Works also contacts customers and business partners for easy communication. 

Content Management apps: 

<a href="https://azuremarketplace.microsoft.com/en-us/marketplace/apps/aad.azuredockit?tab=Overview">Azure DockIt</a>is a SaaS solution that automatically generates technical documentation of your Azure environment. <a href="https://www.azuredockit.com/">Azure DockIt</a> can generate a complete documentation of your Microsoft Azure Subscrtipion in less than 5 minutes. 

<a href="https://azuremarketplace.microsoft.com/en-us/marketplace/apps/aad.evernote?tab=Overview">Evernote</a>allows you to capture information in any environment using whatever device or platform you find most convenient, and makes this information accessible and searchable at any time from any devices. <a href="https://evernote.com/">Evernote</a> helps users collaborate in a single workspace. 

<a href="https://azuremarketplace.microsoft.com/en-us/marketplace/apps/aad.inkling?tab=Overview">Inkling</a> offers a mobile platform that brings policies and procedures to life for deskless worker. The <a href="https://www.inkling.com/product/collaborative-authoring/">Inkling</a> collaborative authoring tools let users select content types, drag and drop widgets, automate import of old files, and allow multiple authors edit the content simultaneously. 

Developer Services apps: 

<a href="https://azuremarketplace.microsoft.com/en-us/marketplace/apps/aad.githubcom?tab=Overview">GitHub</a>is a development platform inspired by the way developers work. GitHub hosts code, manages projects, and builds software alongside millions of developers. <a href="https://github.com/">GitHub</a> brings teams together to work through problems, move ideas forward, and learn from each other along the way. 

Facility Management apps: 

<a href="https://azuremarketplace.microsoft.com/en-us/marketplace/apps/aad.servicechannel?tab=Overview">ServiceChannel</a>provides facilities and contractor management platform that enables complete service automation and repair and maintenance management at all locations. <a href="http://servicechannel.info/service-automation/">ServiceChannel</a> isin the process of transforming the Facilities Management industry and assisting companies to be better in running their operations. 

Finance apps: 

<a href="https://azuremarketplace.microsoft.com/en-us/marketplace/apps/aad.landgorillaclient?tab=Overview">Land Gorilla Client app</a>provides the construction loan software and lending solutions that streamline post-closing construction administration services, so customers can easily scale and control their pipeline as they increase loan volume. Construction lenders trust <a href="https://www.landgorilla.com/">Land Gorilla</a>. 

Healthcare apps: 

<a href="https://azuremarketplace.microsoft.com/en-us/marketplace/apps/aad.cernercentral?tab=Overview">Cerner Central</a>is a web portal for client IT administrators to manage identity federation, access management, and auditing capabilities for Cerner’s cloud platforms: Healthe Intent and Millennium. <a href="https://cernercentral.com/">Cerner Central</a> is the hub that securely connects your enterprise to the Cerner Cloud for app access, authentication token management, audit reports, device access, user accounts and more.
<a href="https://azuremarketplace.microsoft.com/en-us/marketplace/apps/aad.deskyogi?tab=Overview">Desk Yogi</a>offers a wellnesssolution and provides fitness, yoga, nutrition and stress reduction right at your desk. <a href="https://www.desk-yogi.com/">Desk Yogi</a> helps you improve 
your health and happiness with 3 to 10-minute video lessons taught by expert teachers.
Productivity apps: 

<a href="https://azuremarketplace.microsoft.com/en-us/marketplace/apps/aad.adobecreativecloud?tab=Overview">Adobe Creative Cloud</a>gives you everything that you need to turn your brightest ideas into your best work across your desktop and mobile devices and share it with the world. <a href="https://www.adobe.com/creativecloud.html">Creative Cloud</a> provides the essential tools like Photoshop to innovative new tools like Adobe DX. You also get build-in templates to jump-start your designs and step-by-step tutorials to help you get up to speed quickly and sharpen your skills. It is your entire creative world, all in one place. 

Project Management apps: 

<a href="https://azuremarketplace.microsoft.com/en-us/marketplace/apps/aad.p2wareppmonline?tab=Overview">P2ware PPM </a>solution combines leading project portfolio management techniques with 7*24 cloud availability. <a href="https://p2ware.com/en/project-management-tools/project-manager/7">P2ware Project Manager</a> is a project manage app that embraces all aspects of real world project management from planning to execution. 

Security apps: 

<a href="https://azuremarketplace.microsoft.com/en-us/marketplace/apps/aad.zscalerprivateaccess?tab=Overview">Zscaler Private Access (ZPA)</a> 
delivers policy-based, secure access to applications and assets without the hassle or security risks of a VPN. The <a href="https://www.zscaler.com/products/zscaler-private-access">Zscaler</a> approach is more secure than VPN because it reduces the potential attack surface and doesn’t require hardware infrastructure.
If you want to suggest a new SaaS app, please submit your request using the <a href="http://aka.ms/aadapprequest">Azure AD Application Request forum</a>. We are actively reviewing the requests and working to release new SaaS app.
Best Regards,
Alex Simons (Twitter: <a href="https://twitter.com/Alex_A_Simons">@Alex_A_Simons</a>)
Director of Program Management
Microsoft Identity Division
]]></content:encoded> </item> <item> <title>PingAccess for Azure AD: The public preview is being deployed!</title> <link>https://blogs.technet.microsoft.com/enterprisemobility/2017/03/22/pingaccess-for-azure-ad-the-public-preview-is-being-deployed/</link> <pubDate>Wed, 22 Mar 2017 16:00:52 +0000</pubDate> <dc:creator><![CDATA[Alex_SimonsMS]]></dc:creator> <category><![CDATA[Uncategorized]]></category> <category><![CDATA[Apps]]></category> <category><![CDATA[Authentication]]></category> <category><![CDATA[Hybrid]]></category> <category><![CDATA[Hybrid Cloud]]></category> <category><![CDATA[Identity-driven Security]]></category> <category><![CDATA[On-Prem]]></category> <category><![CDATA[SSO]]></category> <guid isPermaLink="false">https://blogs.technet.microsoft.com/enterprisemobility/?p=49215</guid> <description><![CDATA[Howdy folks, Back in September, I blogged about our exciting partnership with Ping Identity. Since then, Microsoft and Ping Identity have worked closely together to extend the capabilities of Azure AD Application Proxy to support new kinds of on-premises applications using Ping Access. I’m happy to announce today that PingAccess for Azure AD is now <a class="read-more" href="https://blogs.technet.microsoft.com/enterprisemobility/2017/03/22/pingaccess-for-azure-ad-the-public-preview-is-being-deployed/">Continue reading</a>]]></description> <content:encoded><![CDATA[Howdy folks,
Back in September, I blogged about <a href="https://blogs.technet.microsoft.com/enterprisemobility/2016/09/14/azuread-and-pingaccess-partnering-to-bring-you-secure-remote-access-to-even-more-on-premises-web-apps/">our exciting partnership with Ping Identity</a>.
Since then, Microsoft and Ping Identity have worked closely together to extend the capabilities of Azure AD Application Proxy to support new kinds of on-premises applications using Ping Access.
I’m happy to announce today that PingAccess for Azure AD is now ready for Public Preview and is currently being deployed across Azure AD data centers around the world. Many of you in North America will see it turn on today and it should be available to everyone by the end of the day Friday, 3/24/2017.
I’ve invited one of the program managers on our team, Harshini Jayaram, to share more details in a blog, which you’ll find below. We hope you try it out and look forward to hearing what you think!
Best regards,
Alex Simons (Twitter: <a href="http://www.twitter.com/alex_a_simons">@Alex_A_Simons</a>)
Director of Program Management
Microsoft Identity Division
—-
Hi all,
We’ve already have many customers use Application Proxy to provide single sign-on (SSO) and secure remote access for web applications hosted on-premises. Many of them use this product for applications such as local SharePoint sites, Outlook Web Access for local Exchange servers, and other business web applications. It is a simple, secure, and cost-effective solution:
<ul>
<li>Simple: You don’t need to change the network infrastructure, put anything in a DMZ, or use VPN.</li>
<li>Secure: Application Proxy only uses outbound connections, giving you a more secure solution. It also works with other security features you’ve seen in Azure such as two-step verification, conditional access, and risk analysis. Learn more about this in <a href="https://docs.microsoft.com/en-us/azure/active-directory/application-proxy-security-considerations">Security considerations for Azure AD Application Proxy</a>.</li>
<li>Cost-Effective: Application Proxy is a service that we maintain in the cloud, so you can save time and money.</li>
</ul>
Right now, all those benefits of Application Proxy are available for many different types of applications, including:
<ul>
<li>Web applications using Integrated Windows Authentication</li>
<li>Web applications using form-based access</li>
<li>Web APIs that you want to expose to rich applications on different devices</li>
<li>Applications hosted behind a Remote Desktop Gateway</li>
</ul>
If you want more details, you can check out our <a href="https://go.microsoft.com/fwlink/?linkid=844804">Application Proxy documentation</a>. For this blog, I want to focus more on how we’re adding header-based applications with this new public preview!
<h2>PingAccess for Azure AD enables more apps!</h2>
Our customers have consistently asked for Application Proxy to also support apps that use headers for authentication, such as Peoplesoft, Netweaver Portal, and WebCenter. To enable this capability for our Azure AD Premium customers, we have partnered with Ping Identity. Ping Identity’s PingAccess now allows Application Proxy to support apps that use header-based authentication.
PingAccess is installed on-premises. For apps that use header-based authentication, Application Proxy connectors route traffic through PingAccess. Existing App Proxy applications are not impacted and use the current flow with no changes. An overview of this flow is shown below, and you can always check out our <a href="https://docs.microsoft.com/en-us/azure/active-directory/active-directory-application-proxy-get-started">overview documentation</a> for more on App Proxy flows.
<img alt="" src="https://msdnshared.blob.core.windows.net/media/2017/03/032217_0025_PingAccessf1.jpg" />
Figure 1: Application Proxy + PingAccess Infrastructure Overview
PingAccess is a separately licensed feature, but your Azure Premium licenses now include a free license to configure up to 20 applications with this flow. If you have more apps, you’ll need to get a license through Ping Identity.
<h2>Joining the Preview</h2>
We are excited to have you join our preview! To get started you need to:
<ol>
<li>Configure Application Proxy Connectors</li>
<li>Create an Azure AD Application Proxy Application</li>
<li>Download & Configure PingAccess</li>
<li>Configure Applications in PingAccess</li>
</ol>
Just head to our <a href="https://docs.microsoft.com/en-us/azure/active-directory/application-proxy-ping-access">Application Proxy + PingAccess documentation</a> for a walkthrough of each of these steps.
We hope you enjoy trying this preview! As always, we’d love to hear from you with any questions, comments, or feedback, so please leave us a comment or reach out to us directly at <a href="mailto:aadapfeedback@microsoft.com">aadapfeedback@microsoft.com</a>.
Thanks,
Harshini Jayaram
]]></content:encoded> </item> <item> <title>First ever #AzureAD AMA results</title> <link>https://blogs.technet.microsoft.com/enterprisemobility/2017/03/21/first-ever-azuread-ama-results/</link> <pubDate>Tue, 21 Mar 2017 16:00:25 +0000</pubDate> <dc:creator><![CDATA[Alex_SimonsMS]]></dc:creator> <category><![CDATA[Uncategorized]]></category> <guid isPermaLink="false">https://blogs.technet.microsoft.com/enterprisemobility/?p=49165</guid> <description><![CDATA[Howdy folks, On March 9th, the Azure AD team hosted its first “Ask Me Anything” (AMA) on Reddit. A bunch of us gathered in a big conference room, and even more of the team joined on a Skype call (sadly, the Skypers didn’t get any of the snacks or pizza).And so many of you asked <a class="read-more" href="https://blogs.technet.microsoft.com/enterprisemobility/2017/03/21/first-ever-azuread-ama-results/">Continue reading</a>]]></description> <content:encoded><![CDATA[Howdy folks,
On March 9th, the Azure AD team hosted its first “Ask Me Anything” (AMA) on Reddit. A bunch of us gathered in a big conference room, and even more of the team joined on a Skype call (sadly, the Skypers didn’t get any of the snacks or pizza).And so many of you asked such great questions that we learned a lot ourselves. Thank you for participating!
If you haven’t had a chance to go through the thread yet, I recommend you <a href="http://aka.ms/azuread-reddit-ama">take a look</a>.There’s a lot of interesting and valuable information there.
<img alt="" src="https://msdnshared.blob.core.windows.net/media/2017/03/032117_0547_FirsteverAz1.jpg" />
Just about to start! 

<img alt="" src="https://msdnshared.blob.core.windows.net/media/2017/03/032117_0547_FirsteverAz2.jpg" />
Everyone hard at work AMAing 

So how did it go? Pretty awesome! Some quick stats:
<ul>
<li>More than 50 people from our team participated, and some of our wonderful MVPs and representatives from our Microsoft partner teams joined, as well</li>
<li>We had 102 top-level questions (29 per hour) and 449 total comments (128 per hour)</li>
<li>Our post was upvoted by 96% of people with a total of 72 points. This compares with:
<ul>
<li>25 – average number of points for of all other /r/Azure AMAs (a 284% increase!)</li>
<li>89% – average upvote percentage for all other /r/Azure AMAs (a 7.8% increase!)</li>
</ul>
</li>
<li>We answered 99% of questions during the event</li>
<li>The <a href="http://aka.ms/azuread-reddit-ama">Azure AD AMA page</a> had 2,586 hits in the five days surrounding the event, and is still getting 60-100 hits per day</li>
</ul>
For questions per hour, total comment count, and response rate, we’re the new AMA champions at Microsoft.The SQL team has us beat for total number of questions, though, so we’ll definitely host another AMA in the future and try to knock them off the top. We’re looking forward to it and hope you’ll join us!
Best regards,
Alex Simons (Twitter: <a href="https://twitter.com/Alex_A_Simons">@Alex_A_Simons</a>)
Director of Program Management
Microsoft Identity Division
]]></content:encoded> </item> <item> <title>Microsoft Enterprise Mobility + Security and the Microsoft Graph API</title> <link>https://blogs.technet.microsoft.com/enterprisemobility/2017/03/20/microsoft-enterprise-mobility-security-and-the-microsoft-graph-api/</link> <pubDate>Mon, 20 Mar 2017 19:54:11 +0000</pubDate> <dc:creator><![CDATA[Andrew Conway]]></dc:creator> <category><![CDATA[Uncategorized]]></category> <guid isPermaLink="false">https://blogs.technet.microsoft.com/enterprisemobility/?p=49035</guid> <description><![CDATA[Across the more than forty thousand customers that Enterprise Mobility + Security (EMS) serves today, theres a notable diversity in how they organize their IT resources to enable mobile productivity for their workforce. Each customer uniquely defines their mobile strategy and IT structure through a series of choices based on the strategic needs of their <a class="read-more" href="https://blogs.technet.microsoft.com/enterprisemobility/2017/03/20/microsoft-enterprise-mobility-security-and-the-microsoft-graph-api/">Continue reading</a>]]></description> <content:encoded><![CDATA[Across the more than forty thousand customers that <a href="https://blogs.technet.microsoft.com/enterprisemobility/2016/07/07/introducing-enterprise-mobility-security/">Enterprise Mobility + Security (EMS)</a> serves today, theres a notable diversity in how they organize their IT resources to enable mobile productivity for their workforce. Each customer uniquely defines their mobile strategy and IT structure through a series of choices based on the strategic needs of their business. Customers may choose to manage their mobility solutions internally while others choose to work with a managed service provider to manage on their behalf. Regardless of the structure, our goal is to enable IT to easily design processes and workflows that allow them to be more empowered and efficient.
As the Microsoft Intune and Azure Active Directory admin experiences come together in Azure, were taking an important step forward in our ability to offer EMS customers more choices and capability. Built on the <a href="https://developer.microsoft.com/en-us/graph">Microsoft Graph API</a>, the new Intune and Azure AD experience on Azure opens a new set of possibilities for our customers and partners to simplify, automate, and integrate their workloads.
Microsoft Graph API connects developers to the data that drives productivity mail, calendar, contacts, documents, directory, devices, and more. It serves as a single interface where Microsoft services can be reached through a set of REST APIs. With our shift to Azure and the Microsoft Graph API, customers now have the choice to manage the administration and operation of Intune and Azure AD services in the new Azure console or through the Microsoft Graph API. The scenarios that the Microsoft Graph API enable are expansive we expect the value to you and all our customers to center on three core benefits:
<h2>Simplicity</h2>
Microsoft Graph API is accessible through several platforms and tools, including REST- based API endpoints, and most popular programming and automation platforms (.NET, JS, iOS, Android, PowerShell). Resources (user, group, device, application, file) and policies can be queried through this API, and formerly difficult or complex questions can be addressed via straightforward queries. For example, you can use the Graph APIs to check the compliance state of all your Intune- managed devices and feed this data into your existing reporting system, enabling a simple, yet powerful, reporting experience across your organization.
<h2>Automation</h2>
The Microsoft Graph API allows you to connect different services and automate workflows and processes between them. For example, you could connect your HR system with the Microsoft Graph APIs to automate the provisioning of mobile devices when youre onboarding a new employee, and set up automation to retire and wipe a device as employees leave the company. If you are a service provider managing the environment of multiple customers at once, you could use these capabilities to automate the onboarding of tenants, populating them with default policies and implementing industry-specific templates. All this can be set up to happen automatically without ever opening a management console.
<h2>Integration</h2>
The Microsoft Graph API can send detailed device and application information to other IT asset management or reporting systems. You could build custom experiences which call our APIs to configure Intune and Azure AD controls and policies and unify workflows across multiple services. For example, a help desk organization might build a custom solution that incorporates Intune functionality into their console, allowing them to manage device and application policies in a unified way alongside other helpdesk tasks. You can even connect with PowerBI and other analytics services to create custom dashboards and reports based on Office 365, Intune, and Azure AD data from the Microsoft Graph API.
<a href="https://msdnshared.blob.core.windows.net/media/2017/03/Microsoft-Graph-API-is-the-gateway-for.jpg"><img title="Microsoft Graph API is the gateway for" style="float: none;padding-top: 0px;padding-left: 0px;margin-left: auto;padding-right: 0px;margin-right: auto;border: 0px" border="0" alt="Microsoft Graph API is the gateway for" src="https://msdnshared.blob.core.windows.net/media/2017/03/Microsoft-Graph-API-is-the-gateway-for_thumb.jpg" width="873" height="186" class="aligncenter" /></a>
<a href="https://msdnshared.blob.core.windows.net/media/2017/03/Supported-Platforms.jpg"><img title="Supported Platforms" style="float: none;padding-top: 0px;padding-left: 0px;margin-left: auto;padding-right: 0px;margin-right: auto;border: 0px" border="0" alt="Supported Platforms" src="https://msdnshared.blob.core.windows.net/media/2017/03/Supported-Platforms_thumb.jpg" width="872" height="147" class="aligncenter" /></a>
The new <a href="https://blogs.windows.com/windowsexperience/2017/01/24/announcing-intune-education-new-windows-10-pcs-school-starting-189/#2h4ooD2KbRBHuix3.97">Intune for Education</a> experience and the OneDrive for Business console, where Intune app protection policies are now built in directly, are both great examples of new experiences that are made possible because of Intune and Azure AD being built on the Microsoft Graph API. Were also working directly with several partners who are starting to explore whats possible with our APIs in preview. Its exciting to see the ideas they come up with around how these capabilities will improve their processes and workflows, and the custom solutions they will enable.
The Intune and Azure AD APIs are available in preview now as part of the Microsoft Graph API beta and will be generally available later in 2017.*For a closer look, check out the documentation on how to use <a href="https://developer.microsoft.com/en-us/graph/docs/api-reference/beta/resources/intune_graph_overview">Intune</a> and <a href="https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-graph-api">Azure Active Directory</a> APIs.
<hr />
*Use of a Microsoft online service requires a valid license. Therefore, accessing EMS, Microsoft Intune, or Azure Active Directory Premium features via Microsoft Graph API requires paid licenses of the applicable service and compliance with Microsoft Graph API Terms of Use. 
]]></content:encoded> </item> <item> <title>Conditional Access “limited access” policies for SharePoint are in public preview!</title> <link>https://blogs.technet.microsoft.com/enterprisemobility/2017/03/09/conditional-access-limited-access-policies-for-sharepoint-are-in-public-preview/</link> <pubDate>Thu, 09 Mar 2017 17:00:23 +0000</pubDate> <dc:creator><![CDATA[Alex_SimonsMS]]></dc:creator> <category><![CDATA[Uncategorized]]></category> <category><![CDATA[Android]]></category> <category><![CDATA[Conditional Access]]></category> <category><![CDATA[Identity-driven Security]]></category> <category><![CDATA[iOS]]></category> <category><![CDATA[Office 365]]></category> <category><![CDATA[Security]]></category> <category><![CDATA[SharePoint]]></category> <guid isPermaLink="false">https://blogs.technet.microsoft.com/enterprisemobility/?p=48725</guid> <description><![CDATA[Howdy folks, Enabling productivity while securing data is the fine line IT pros walk today, and having the right tools to do it makes it that much easier. In the past, employees working from their personal devices was a recipe for leaked data. But not anymore! Working with the SharePoint team, we’ve created a great <a class="read-more" href="https://blogs.technet.microsoft.com/enterprisemobility/2017/03/09/conditional-access-limited-access-policies-for-sharepoint-are-in-public-preview/">Continue reading</a>]]></description> <content:encoded><![CDATA[Howdy folks,
Enabling productivity while securing data is the fine line IT pros walk today, and having the right tools to do it makes it that much easier. In the past, employees working from their personal devices was a recipe for leaked data.
But not anymore! Working with the SharePoint team, we’ve created a great new feature in the conditional access experience that I think you’re going to love: the ability to limit a user’s ability to download, print and sync based on the state of their device.
To tell you more about it, I’ve invited one of my program managers, Nitika Gupta, to write a blog, which you’ll find below. Read up, try things out, and let us know what you think!
Best regards,
Alex Simons (Twitter: <a href="https://twitter.com/Alex_A_Simons">@Alex_A_Simons</a>)
Director of Program Management
Microsoft Identity Division
—-
Hi folks,
I’m Nitika Gupta, a Program Manager in the Identity Security and Protection team at Microsoft. Today we are announcing the public preview of a feature that will enhance security for SharePoint and OneDrive access while still helping maintain productivity.
Microsoft Intune and Azure Active Directory conditional access provides the ability to grant or block access to resources based on device state. This helps organizations ensure content doesn’t get on to a machine that isn’t encrypted, locked, secure from malware, etc. This is an important aspect of securing company data.
Unfortunately, not all devices can be managed. Sometimes people need to work from home computers, personal devices, or shared machines that aren’t enrolled. Until now, this meant losing productivity by denying access to SharePoint altogether or allowing unsecured download of content. Because of this, IT admins struggle to find the balance when configuring policies to prevent data leakage of corporate resources while ensuring that employees remain productive.
But what if we could have great user productivity and maintain a great security posture? That’s what the Secure, Productive Enterprise is all about and why I am thrilled to announce the public preview of the “Limited Access to SharePoint and OneDrive” feature! Now you can allow access to SharePoint and OneDrive from an unmanaged device by granting browser-only access with download, print, and sync disabled. Users can stay productive, and you can be assured that when they sign off, no data is leaked onto the unmanaged device.
Let me show you how it works in Azure AD Conditional Access and SharePoint!
<h2>Getting started</h2>
Configuring limited browser-only access to SharePoint and OneDrive is an easy two-step process. See our <a href="https://aka.ms/spolimitedaccessdocs">limited access documentation</a> for more detailed instructions.
<ol>
<li>
<div>First <a href="https://portal.azure.com/">create an Azure AD Conditional access policy</a> for SharePoint that applies only to browser client apps with “use app enforced restrictions” as the session control.</div>
<img class="aligncenter" alt="" src="https://msdnshared.blob.core.windows.net/media/2017/03/030917_0059_Conditional1.png" />
Tip: To prevent users from going around the browser policy and accessing resources from mobile and desktop applications on unmanaged devices, we recommend enabling Azure AD conditional access policy. This enables access from mobile and desktop apps only from a compliant or domain joined device.</li>
<li>Next, go to device access in the SharePoint admin center and select the checkbox to “Allow limited access (web-only, without the Download, Print, and Sync commands)”</li>
</ol>
<img alt="" src="https://msdnshared.blob.core.windows.net/media/2017/03/030917_0059_Conditional2.png" />
Note: It can take up to 15 minutes for policy changes to take effect.
<h2>End user experience</h2>
When accessing SharePoint and OneDrive from devices that are not compliant or domain joined, end users will see a warning banner explaining why their experience is limited.
<img class="aligncenter" alt="" src="https://msdnshared.blob.core.windows.net/media/2017/03/030917_0059_Conditional3.png" />
<h2>Feedback</h2>
We would love to hear your feedback! If you have any suggestions for us, questions, or issues to report, please leave a comment at the bottom of this post, or tweet with the hashtag #AzureAD.
Thanks,
Nitika Gupta
@_nitika_gupta
]]></content:encoded> </item> </channel> </rss>

Get started with Enterprise Mobility

Try now

Mar	APR	May
	27
2016	2017	2018

Protect your business with identity and access management in the cloud

Benefits of Active Directory

Single sign-on to any cloud and on-premises web app

Easily extend Active Directory to the cloud

Works with iOS, Mac OS X, Android and Windows devices

Protect sensitive data and applications

Protect on-premises web applications with secure remote access

Reduce costs and enhance security with self-service capabilities

Enterprise scale and SLA

Azure Active Directory applications: Featured apps

Box

Citrix

Citrix GoToMeeting

Concur

Docusign

DropBox for Business

Dynamics CRM

Facebook at Work

Google Apps

Jive

MyDay

Office 365 Exchange Online

Office 365 SharePoint Online

NetSuite

Salesforce

Salesforce Sandbox

ServiceNow

Workday

Azure Active Directory applications: New apps

Clockworks

FileCloud

Cezanne HR

Flat for Education

Insider Track

BGS Online

Nexonia

Proofpoint on Demand

Lifesize Cloud

Reward Gateway

Pacific Timesheet

Cisco Spark

Recognize

Yonyx Interactive Guides

Identity Panel

Hall Monitor

MediaValet

Origami Risk

Complion

Predictix

Mojo Helpdesk

SharpCloud Standard

Boost mobile productivity with secured access to applications

Save time with simplified identity management

AZURE ACTIVE DIRECTORY TEAM BLOG

Get started with Enterprise Mobility

Follow us

Share this page