Welcome to our call webinar access all apps with Azure active directory or Azure ad a single identity solution for secure Azure active directory as an integrated identity solution for secure, seamless access for all your users, devices, and apps. This webinar is supported by Microsoft. The speakers today are Ella Smith, principal TM at Microsoft and me Martin Ko, or I'm principal Analyst at Ko a call before we start some very quick information on some things that are new at Ko, a Cole, and then some housekeeping before we dive into the topics of today's webinar.
So the one thing I'd like to hint you on is the upcoming series of virtual events provided by co a call starting on May 12th with a one day, went on identity fabrics in the future of identity management. And then couple of other topics following over the course of the year, have a look at our website, a lot of new content, a lot of new information from these virtual events, some housekeeping for the webinar, the audio control you are muted centrally, and we are controlling these features.
So there's no need for you to do anything yourself.
We are recording the webinar and we will upload the recording by tomorrow as well as we will provide slide X for download, and there will be a Q and a session at the end of the webinar. However, you can enter questions at any time using the questions tool in the go to webinar control panel. This control panel usually is at the right side of your screen. And so you can enter questions. The more questions we have, the more lively our Q a session will be. So let's have a look at the agenda for today.
I will start talking a little bit about identity management trends and where things are moving, where things are heading and which role, the paradigm we've defined. And we, we, we name identity fabric play in this for a Futureproof identity management.
And then we will look at this role of, for ID can take in such an identity fabric. And based on that also in an identity management strategy. When I look at our advisory business these days, we get this question asked by virtually every customer of which strategic role can active directory take after ID take in my future identity management.
And I think it's a very hot, a very important topic. So this is basically what we will talk about and following medium. So while I at the ground then will provide, provide a deep dive into the details of if director as a strategic platform for access management and look more into detail into the application. The creation models supported by Azure ID for both in us modern and legacy environment. So from EV for everything, from a staff service to traditional solutions, you're running on premises in your environment. And as I've said, following that we then will do our Q and a session.
As I've said more, the more questions we have, the more likely it'll be. So whenever you have a question, enter it and we will pick it by the end of our webinar. So being an Analyst, I like to talk about trends apparently, because that's what Analyst do. And so maybe as a starter, let's have a look at some of the identity management top trends we are observing. So one of these strengths and I talked about stress recently, also in my video podcast. And in other other locations, we see things becoming more and more services. So everything is driving to a service model.
And as a service deployment are more and more the norm as well for whatever business applications, your productivity tools, as well as for the infrastructure tools, including our security tools, including identity management. So the way we, we are delivering stuff is changing.
And I trust today published a video podcast about identity management from the cloud becoming the new normal, which you will find in our copy called YouTube channel or in our coming a cold block.
And that also means that I architectures are changing, including the identity management architectures, moving to microservices with the ability to, to make fast and channel and small changes. So we also need to look at how does identity management look like and how does a good solution look like? And I believe it must support some form of as a service deployment, and it should be architected in microservices to be flexible, to run also in, in different types of scenarios or very efficiently as a public, as a service model.
That depends on what you exactly using what you're exactly looking at, but it must be a modern architecture, which also that's the consequence of that will come with APIs.
So it'll be easier to consume, easier to customize than ever before. And we need to look at all types of identities. We are talking about a connected world.
Anyway, the days of pure employee identity management are passed in what we look at in, in modernizing our identity management is we need to look at all types of identities. The is the partners to customers, to consumers, but also devices and things we need to get broader on that and figure out how we can serve all these identity needs in a consistent manner, which I see as a major trend in where identity management is heading.
We, we see the also supporting the need for supporting, building new digital services. I believe in the next couple of months and, and few years we'll see a massive uptake of digital transformation as a consequence of the current situation. What else do we see?
Adaptive authentication is essential. So multifactor authentication, risk and context based authentication. All that stuff is super important. Privileged access management will become more important and we will control access more and more based on, on policies.
So also the, the, the access control in the sense of I control runtime access will, and it's already shifting more towards the center of attention compared to static entitlements and systems, et cetera, powered by AI. So where AI and machine learning help, we will see more and more of that. And this all will trans decision into what we see from our perspective as the paradigm of identity fabrics. So when I talk about identity fabrics, what am I talking about?
And this is a very high level picture, drill down a little then afterwards, but basically, so our thinking started a very simple question. And the question is what is the purpose of identity and access management?
And the purpose is very simple. It's giving access to everyone and you could add so to speak everything.
Every device here to every service that is seamless and controlled access to all these application service, whether these are SA services with these are federated business partner applications, whether these are applications running on premises, this is the top of identity and access management. So we will have to deal with different identity providers. So we will not manage all of them in our own infrastructure. Some of them will be federated in and we will need to federate out or to integrate in other ways.
And this is the interesting challenge here, and this is the main theme of this webinar. How can we integrate to everything on that right side of this picture? Not only the modern SaaS applications, but also all the stuff which is here in the reality of organizations, because most organizations today have on hybrid it, and this will remain hybrid for at least quite a while.
So this is what we need to achieve. And for that, we need a set of services, and that is what we call the identity fabric. So access authentication and cost grain, or at least authorization.
So who's allowed to access which service maybe even going further into granularity on that the management of the life cycles, the governance capabilities, but also constant privacy and stuff like that in a more detailed picture. This looks somewhat like this.
So we have all these identities and you see here, I added devices and things on the left hand side, we have all the services on the right hand side, and we have something in between, which is a set of capabilities for providing APIs, for federating, for adaptive authentication, for governance provisioning, and many more capabilities down to device management integrated, which are delivered these capabilities by a set of services.
And these services ideally are built in the modern architecture.
And with this, these capabilities, with these services, we should be able to support those, the, the layer at the bottom, which is our sort of our traditional it, so legacy applications, which are either integrated directly or indirectly using what you have, or that might be network security components that might be traditional identity management components. It's supporting also what is on the top, on, on the, the right hand side of the top, we see the standard SaaS services, which are managed, but we also need these APIs for services, digital services, which are accessing our capabilities.
So this is the bigger picture. And when you start with this picture, the next question apparently is how to fill this picture. So which artist capabilities you need, this is based on your requirements, your use cases, which capabilities you need in which priority in which order, then the questions, what do you already have? Is this good enough for the future? Is it something you will migrate over time?
And apparently when you look at what you have for many organizations, the situation is the half Azure active directory, because many, a real huge number of organizations are using what was office 365. And right now is from what I understood Microsoft 365, but it's the same. It's still office 365 from my perspective.
And they use the Azure cloud. And so ad comes with that.
And if, if it comes with that, if it's used for major services, the apparent question is which role should that play and in this webinar. So, so I will shut some light on the broader perspective and then will go into detail and, and talk about how could ad provide services, which are relevant for this bigger picture of giving everyone seamless access and controlled access to all these services. And so that you can understand doesn't make sense for you.
What, what is the role? This is basically what we want to talk about today. So what do users expect at the end of the day when we look at it and this paradigm of seamless access users need to understand where's my service, where's my application. So simple application discovery from a user perspective is super high importance.
Where is this thing I want to use? Can I access it easy, frictionless access, no extra indication. So single sign on something, users laugh for instance, and they laugh to have single sign on across everything.
And overall the user experience should be as, as consistent as it can be. So can you really integrate what you need? Because if then the user experience is painful, the value of the service decreases and from a technology perspective, when we look at the access part of that, there's also a federated provisioning angle. I believe I'll touch in a minute, but when we look at it from the access part, then we have couple of technologies and there's, before we move to Federation, there's a more old school technology.
We might say, web access management, which is out there for many, many years, for tens of years already, which is about saying the user wants to access an application.
He wants to have a single sign, also frequently called web single sign on. And I need to put something in front of these applications for applications that don't support modern standards. This is a very common way.
This is, as I've said out there for, for long way before we had Federation standards. And so these solutions sit in front, so to speak as a gateway of these solutions and deliver services.
So they, they provide the ability to authenticate against directory, integrating with these directories, having the central access policies, and then some integration, sometimes also some APIs for the web applications, but mainly some integrations into the web applications, commonly based on some cookies. And then you can start your next session.
Oh, you're already authenticated continuous next session. This is web access management for a broad range of applications. This is very important for the sort of the, the older types of solutions.
While we, on the other hand have identity Federation based on standard protocols, such as such as ours, two where addressed between an identity provider who performs the authentication and the relying party or service provider who authorizes exist.
So there, we need this support for Federation protocols integrate again with directory services, or at least one central directory service, where you can manage all these sometimes tens of millions of identities integrate with the endpoints in an efficient manner, various types of endpoints. Many of these solutions are integrated with WebEx access management, but it's not mandatory. So we need to find something which covers both the traditional world and all the new stuff, which is standard based, but which adds capabilities such as the adaptive authentication, which I already touched.
So this approach, which supports us in using a broad range of authenticators to also do step up, et cetera, to use context information such as geo location, consumes threat information of external or internal sources, sources provides alerts again, has central access policies available and decides about who's authenticated or not.
These things all are required for delivering on that target of the seamless and control and secure access of everyone to every service. So this is what we factually need to make this work.
So when we look at going there, then there are a couple of challenges which specifically come from from identity management for a hybrid. It, so if we want to do it comprehensively, we must solve certain aspects. And some of them, I picked here such as the application discovery, the application access. So we need something which helps users to find all their applications, modern service, and the applications which are out there for a while.
They want to have single sign on to SA service as number two, but also number four, they want to have to single sign on to all their own premises applications. So it must serve everything. And we need to have federated provisioning in there as well.
Federated provisioning is one of the big challenges with all this Federation standards, starting with Sam, because you can authenticate when you have something to authenticate. So when there's a user to map at, in the SAS service, but so you need to provision a user and this federated provisioning is something which needs to be done.
So there's a standard Kim with the, a little bit complex name of system for cross domain identity management. And this standard is increasingly adopted and helps doing a lot of stuff here. Another challenge is that over time, you also might need to migrate parts of your major parts of your IM.
So, but necessarily everything at the same time. But if you shift to this new paradigm of an identity fabric as a bigger picture, then at some time, the question is, how can you gradually migrate to this new world?
So you need some capabilities, some technology here, and there are various criteria. I picked the one we use for our leadership of leadership composes our market comparison on certain market segments, such, such as identity as service access management. So this is the IDAs am, am for access management.
This is a high level list of capabilities we have been focusing on for the recent addition of this leadership. And obviously it is you need to integrate to an adequate directory service. You need to synchronize identity specifically. This on-premise active directive, which still plays a very important role for many, many businesses. You need to have this broad authenticator support in some at least cost for in authorization, build an access policies.
You manage centrally full support for identity Federation, the management also across so single center across multiple sessions, Porwal and easy staff services, good UI for the admins also helps some baseline auditing and governance.
And last, not least you need to do that well for not only the new brave world of SA services, but for everything.
So for the entire hybrid it landscape you're having, when we look at the, the role ID might play, and then we will find when we map it to this picture of an act of an identity fabric that are really a really a broad set of capabilities, which is provided by Azure ID. And that includes also integration to legacy it to the hybrid world organizations are facing. That's the point where then will go far more into detail than I do at, in my intersection of this webinars, but there are the APIs. So there's a set of APIs for digital services.
So you can let your new digital services and you build on the digital transformation work against information. That was for instance, all the draft APIs stuff, which allows you to easily navigate through a directory.
They are out of the box integrations into a broad range of SA services. There's standard support for Federation protocols and for skim and a variety of integrations options to legacy applications.
So this hybrid capabilities for instance, include something which is called app proxy or application proxy, which then can sort of proxy between the RD world and the application supporting standard authentications, including things like Carus or NTLM. So if you're around long enough in this space of Microsoft and authentication and active directory, you still might be aware of NTLM. I wrote books on not an Azure active rate, an old, good, old active directory, and even before a lot in the 1990s and two thousands.
So I spent a lot of time dealing with such protocols, their support for HGP, hetero injection, based on paying access and other capabilities, integration to a variety of tools. Alana will elaborate more in that various integration options.
And so it is something when you look at this picture and, and make this mapping of what do I have, what do I need then? It's definitely worse to elaborate. The role Azure directory can play video the tool, be it's something combination with other tools, but it's definitely something you need to look at.
If you, we are using Azure active directory, if you're already in the stage, or if you intend to move from on-prem ad to ad or wherever you come from. So this is the intro from my amp. And with that, I'd like to hand over to Alana, which right now we'll go far deeper into detail of on what, what I started to talk about and give you more insight into how this really works and what can it do. And that hopefully helps you making your technical and strategic decisions on that.
Thanks Martin.
That was a really great overview of the central role that identity fabrics can, can play in modern it, hello everyone. I'm Alana Smith. I'm a product manager on the Azure active directory engineering team. Today. I wanna follow on from the introduction that Martin has given and dig deeper into the functionality that we're building in Azure ad that helps deliver on that vision.
Now, I don't know if you've noticed, but things have been changing. So once upon a time, we did our work from our offices on our desktop machines, inside our corporate firewalls, running software from server rooms down the hall. And we all thought we were safe. Our environments were very controlled, but as the digital transformation has changed things around us. So our expectations have changed. Work is now an activity. It's not a place.
And so we expect to be able to submit our expense reports from our phones while sitting in Starbucks, even more recently, we expect to be able to collaborate with our partners through zoom over a document, shared out through Dropbox from the desk. We've set up in the corner of our bedrooms while our children scream from the hallway.
So
This, this shows how the nodes of the graph that we're talking about have just exploded. The apps we're using have exploded the devices we're accessing them on the locations we expect to be able to, to work from even the people that we work with. All of these have a multitude of connections to each other, with very few controlled by our network, our VPN, or secured by our firewall. The only common connection here is you and this places identity at the center of how we secure our users and our data only by securing that access.
Can we make sure that we protect and we enable our users, and this is why our customers are telling us that they consider identity to be the control plane for their digital transformation.
So you need a control plane. That's gonna connect all the devices that you are using. You need one that can bring together all the, all the users that you work with, existing employees, your new employees, your frontline workers, your partners, your customers, it, and it needs to connect to all the applications that your organization is using.
As Martin mentioned for the foreseeable future, the world is a hybrid one where we're both in the cloud or, or clouds and simultaneously on premises. This is the world we need to be able to protect. And at the same time, we wanna make sure we can, future-proof our investments. So to deliver digital transformation for your users, you need a modern cloud-based identity system that can give you all of this. And as we mentioned, if you using office 365, you already have a pretty good one.
So there are a number of cloud identity providers out there.
So I wanna talk a little bit about the unique value of Azure active directory. First and foremost is, is security. Azure ID can bring all your apps together and let you apply consistent policy to protect all of them. This includes letting you use cloud intelligence to protect your on-premises investment, just like you use it to protect your cloud apps. The next major piece is making sure your users are happy and productive. They need to have a great experience. They can RI eye on and trust, which stays out of their way when they're trying to get work done. And the last big piece is cost.
This is particularly relevant right now. As we look at an economy that might be reducing it budgets and causing us to tighten our belts. If you're using office 365, you're already using active directory. So it's a great time to look at whether you should be also using duplicate products on top of that, or instead leveraging the four power of the platform you're already invested in. Then that platform provides a whole bunch of capabilities that can help you save even more money through things like automation, delegation, and self-service. So let's dig into some of these.
So the bad actors are out there and their activity is growing exponentially. We're seeing about a hundred percent year over year growth in activities by nation states, private parties. These attackers are nimble and they're creative and they're fast moving.
It's, it's simply not realistic to imagine that your security staff can respond at that kind of rate. So that's why you need software that can do real time detection that can respond faster than any human to new types of attacks and keep you safe because we are all under attack. Now just about every cloud product out there will tell you about their machine learning and artificial intelligence that they used to keep you safe. And there are some very cool and very effective products, but the end of the day, security is a numbers game.
You need signal, big fat signal to detect and respond to those patterns.
You need it at scale and you need it from a variety of sources. And this is why the cloud is key for responding to attacks. You need visibility into patents beyond your own organization, and you need to be able to process massive amounts of data across identity systems, both our directive directory for professional accounts and Microsoft account for private accounts like Xbox and Skype.
We, we have more than a billion users every month. This generates a lot of signal for us. We also take signal from lots of other surfaces in the company and, and outside. So what do we know from law enforcement? What is Microsoft defender telling us about malware on devices? What are our cloud products like Microsoft cloud application security and Azure ATP telling us all of this data is correlated and fed into our security graph, which generates this 171 terabytes of activity logs every day. And that's what our machine learning trains on.
So when you are using Azure active directory, we're using the same industry leading technology that we use to protect Microsoft and to protect our millions of customers and we're using it. And you can use it to protect both your cloud apps and your on-premises apps. So it's not just for Microsoft products. You can expand it to every application in your estate.
Oh, sorry about that. I accidentally moved on a little bit too briskly. So conditional access.
This is, this is the name we give to our adaptive authentication feature. It is at the corner. It is at center of our zero trust strategy. So we use all of this intelligence from that 171 terabytes of, of data to make a judgment of risk for any user or any session. This is combined with settings that, that you can configure based on what you know about your organization and your business into these conditional access policies. It allows us to take a wealth of signal and apply all sorts of controls, including blocking access requiring MFA, or perhaps limiting a session.
So for example, perhaps if you are on an untrusted device, you can't download files options. Like these are only possible because we're taking signal from all these places. And we have all of these remediation options that are provided by the integration across the M 365 suite.
Now, I dunno if you remember this, but back in 2017, the Dana shipping company me was hit very hard by Notia. If you're interested, there's a really great wired article that, that talks about it. What you won't read in the wire article is the role that Azure active directory played in helping, helping MERS get back up and running and, and recover their capabilities in the faces.
Not, it means that MERS is daily serious about security, but they're also unwilling to sacrifice productivity with Azure ID and with the controls provided by conditional access and the intelligence we have in place there, the, the trade off between security and productivity doesn't have to be made. We believe we can offer a solution where you can, can offer both productivity and security without those sacrifices,
But it's hard to prove security. And so for all of us who wanna continue to be employed, it's also essential.
We're providing really tangible value to our users, that we're helping them be more productive and get their job done. The first major advantage of course is single sign-on on average companies are using about 180 apps apparently. And any individual user is using about 35. That's a lot of credential pairs to remember, and a lot of wasted time typing in username and password.
If, if you haven't already moved to a single sign on solution with Azure ID, they can have a single set of credentials that they use for work. The, the credentials that they use to log into office gets them into all of their apps in your estate. And in most of those situations, they just need to sign on once.
So Azure ad is integrated with a couple of thousand apps pre-integrated and many of those big ones support automated provisioning. This automated provisioning piece is super important. This means that your HR app can tell Azure active directory about a new hire.
It can automatically be granted access to the apps that they need based on, on the policies inside your organization. And then accounts can be created for them in those apps, through our automated provisioning functionality. This is a great onboarding experience, cause it means that those new employees can get up and running quickly.
Their, their first week or two is not wasted while, while they try and get access to the tools that they need. Needless to say, it also works in reverse so that when employees are no longer employed by the company, they'll U lose access to, to those applications automatically,
But getting to the apps your users need, we offer this a centralized user Porwal. This speaks to the discovery piece that that Martin was talking about earlier. This allows you to collect up and manage all the apps, your, your organization users. It also makes it much easier for you to roll out new apps.
This means that a user can know these are the applications that my organization wants me to use. These are blessed. These are safe. These have policy applied to them. In many cases, people adopting new applications through, through shadow it just because they're trying to get their job done. But with central portals like this, they can go and discover the apps that you have approved for their use and can easily access them in a consistent way. This experience is also embedded into office.
So if they're on SharePoint or using outlook.com, they can easily swap to your organizational apps just in the same way they swap between office applications. And if you have an internal Porwal that you're using, maybe you've invested heavily in your internal communication strategy and have a really great internet. Porwal that is the primary place you drive your users to. Then you can just take our, our single sign on links and you can embed them into that experience and still get the full functionality of, of single sign-on, our consistent security policies to access all of those apps.
This kind of consistent experience is not just important because it makes users happy. It also builds trust and consistency. It means that if they counter an anomaly, so our login prompt, they're not expecting, or, or, or, or some kind of inconsistent experience, they're gonna recognize that it's weird and they're less likely to kick through click through. So they're less likely to fall for a phishing attack or, or, or other types of attacks. And that helps keep you and your organization and your data safe.
The third big advantage as our customers tell us, makes Azure active directory stand out is how it can increase it efficiency and free up your staff to pay attention to the most important things. This includes automated tasks like provisioning, which we've talked about. So they don't need to be manual and, and they don't need to be error prone. It also includes delegating tasks out to end users or out to managers.
If an end user can reset their password, they don't have to call help desk.
If a manager can manage access, it means that the right decisions are being made by the people who really know who should have access. All of this reduces the load on your it staff, and they can pay attention to things where they have the expertise and where they're really the only ones that can do it with the economic changes.
Of course, this is also helpful if, if, if they're headcount, reductions or reductions in budgets as well. So these are really important things to think about. This is also an opportunity to reduce infrastructure. If you can move off on premises, identity providers like like ADFS or ping or things like that, and move to a cloud identity provider, you are already using this means you can reduce some of that on premises infrastructure. And if you're using the one that's built into office that you already have, and already invested in you don't, you don't need to look at duplicate products.
You can instead dive more deeply into the value provider by that single identity provider.
So here's a fun set of facts that sort of, kind of hurt me deeply. Many of our customers who using office 365, don't realize that they have Azure active directory. And we did a survey recently of, of administrators and a huge percentage of them didn't realize that Azure active directory could be used with non-Microsoft products. Most people see Azure active directory as an identity system for Microsoft products. And that hurts us deeply, cuz we are so serious about apps.
We want to take this, this secure, productive, efficient environment that we've created and we wanna expand it across your entire estate. So you can be, be realizing that value in your whole organization. So if you have 180 apps in your organization, do you know what they are? Are they all protected? Are they all governed? Are they under it control? Are they audited? Are they using a modern identity solution?
A good initial step as you are, as you are looking to center on a cloud identity provider is to discover what your landscape currently is without app discovery functionality, which is which leverages the end points of, of Microsoft defender. You can go and discover what apps people are using and you'll, you'll discover all sorts of things, but it will help you understand which ones are the most risky and which one, which ones are, are leaving you most vulnerable. So you can prioritize which ones should be brought under, under it control and governance.
We also have a bunch of tooling that we've built around helping you take applications that are integrated with ADFS and other providers and upgrade them to a cloud identity platform. So you can leverage the full power of what you have there because we want you to discover those 180 apps. We want you to integrate them with Azure active directory. There are about 2 million non-Microsoft apps that leverage our platform every month. A lot of them are built by developers for their own organizations.
We have about 3000 that were free integrated with the platform, the, the SAS apps that you can just pick up and, and, and start using. And the, the lion's share of that comes from exactly the names that you'd expect your ServiceNow, Workday, Salesforce concur, those kind of names.
Actually a little app called zoom seems to be, to be growing a fair bit recently. So we've got a couple thousand apps. Pre-integrated we've also got a lot of smaller or more regional apps.
And, and so they're, pre-integrated, you can just pick up and start using, but you can also integrate your own apps as well. We, we just love standards. You wouldn't think that someone from Microsoft would say this, but, but we are super serious about standards because it allows us to connect to what you are using. There are actually a handful of people on our engineering team, whose jobs it is to work as part of the standards bodies and, and move the standards forwards in ways that benefit our whole identity industry.
So if you have an app that supports SAML or IDC or any of those, you can set up single sign on with Azure active directory. And as Martin mentioned, if you have an app that supports the skim protocol, you can set up our automated provisioning with that as well. We're actually actively working to revitalize that ski standard because we believe it is a super important one for our identity community.
So we want all your apps, skin acted, and we're not just open about standards. We're also embracing everything else that's going on in our industry.
We don't wanna force you to take the Microsoft way of doing things. We wanna meet you where you are and make sure we can provide value there. So this includes access, not just to your Microsoft cloud and to your SAS apps, but also to your other clouds. We'd love to you to use Azure, but we know that many of you, you are using AWS or GCP or all three all at the same time. And we think having one identity system to control access to all of those allows you to pursue a multi-cloud strategy in a controlled and protected way.
So, so that is something we actively wanna provide for you. In fact, I've heard, can't verify this, but I've heard that our friends over at Google recommend us to their larger customers as the best way for them to manage, manage access to GCP.
Now we've talked about SAS apps. We've talked about the clouds, but the big major piece we're also talking about is our on premises applications as Martin was talking about, it's not much good. If your cloud identity system can only protect cloud apps, we're all gonna be hybrid for this foreseeable future.
So our application proxy is a service which leverages single sign on, and you can apply the same security policies through conditional access, which acts as authentication and transport for you to do remote access to on premises apps. The way that it works is you inside your organization, you have a very lightweight connector that sits close to your applications, and it pulls out to the Azure active directory app proxy service to, to, to look for traffic.
This is a, a really great solution because it means that you don't have to install anything in your DMC. You don't have to punch new holes in your firewall. Maybe you don't even need to bother your networking team, but you can still provide access to on-prem resources from a Starbucks or from people's homes. As you can imagine, we've seen a big increase in usage of that proxy.
Recently, people are now able to work at home and access their own premises SAP or their Tableau server or, or the legacy apps that they used to only be able to access when they were sitting in their office.
We've had customers who, you know, have had a policy of zero work from home. You must be in the office to work.
And, and recently, like over a weekend, they've had to flip that policy. Now, what most of them have found is is that their VPN solutions can't handle that kind of load.
And, and we end up getting panic phone calls, but this, the, the application proxy has been so key in enabling those scenarios for these legacy apps that they may never move to the cloud, or they aren't there yet. And, and, and so that, that's a crucial piece, as we think about a cloud identity system that connects to, to all of your apps, not just your cloud apps.
Now, if you are using a application delivery provider, if you are already invested in something like Z scale or F five or one of these, then we have partnerships with those. You don't have to use that proxy. We can integrate directly with those, those delivery delivery controllers and, and, and enable that same scenario of remote secure access to your on-prem devices.
The last major piece is, is our developer story.
Whether you're a large ISV who wants to build a business on a couple of hundred million people using Azure ad, or if you're an in-house developer who wants to build a great app for your company, then building on our libraries allows you to leverage that identity system. It also gives you access to the full Microsoft graph, which opens up a wealth of new functionality across our suite suite of products. We are also completing out the work to make sure that any of our functionality that you can use through the UX is also available through things like PowerShell and APIs.
And so as an it admin, you can, can build tools, functionality. You can automate your tasks to, to make sure that anything you can do in Azure active directory can be programmatically accessed. The API piece is super important for us.
Now I've covered a lot of ground here, and there's obviously a lot of options. The first thing I would say to you is if you were looking at moving deeper with directive directory, is that it doesn't require you to change everything.
We always used to joke that traditional identity product take project takes at least 18 months and three staff turnovers with Azure ID. We just want you to pick the piece that solves your biggest problem and use it to prove value and then move from there. It's super important in today's fast moving world that we're proving value regularly to our organization and, and, and not waiting a long time after we've done a bunch of work.
And so the most straightforward approach that we recommend when you're thinking about integrating apps with Azure active directory is to start with the loose, risky, and the most forward looking.
So if you are bringing a new SaaS application into your organization, Fu future proof, it just by integrating it directly with Azure active directory, that's a, that's a really, really easy, easy piece, just integrate it directly. And that allows you to prove out the value of that and, and, and get used to, to those kinds of experiences.
Once that has proven value, you've gotten comfortable with that. Then you can go further, you can discover your existing apps throughout discovery and figure out your plan for integrating those. You can upgrade your apps from ADFS or any of your other on-prem identity providers. You can connect to your on-prem apps through that, that those, that secure remote access we talked about. And you can also work with your developers to, to develop your line of business apps directly against our identity system. So that's bit more detail into what we're building with Azure active directory.
I, I hope you can understand how Azure ad as a cloud identity fabric can become your modern control plan to provide security productivity for your users and cost savings for your bottom line. It can be the cornerstone of your hybrid environment, connecting users to their apps, whether they're in the cloud or on premises. So thank you and Martin, thank you so much for, for inviting us to come and talk.
Thank you for provid. All that insight. We have a few minutes left and we have a bunch, really a bunch of questions here. So if you have more questions, feel free to enter these now.
And I'd like to pick some of these. We might follow up in directly on some of the questions. We might not have time to answer during the Q and a session. So the first one I I'd like to pick is I think it's an interesting one. And I got a little bit of similar one, which then came over from an interview to, to Microsoft endpoint security perspective. But what can I do to maximize the existing Azure ad licenses that I got with office 365?
So, so how does do these licenses maybe relate to what you get an Azure ID?
Sure, absolutely licensing questions. Okay. So Azure active directory comes in a couple of different additions. Some of the functionality I've talked about today does come in the, the, the, the higher tiers of Azure active directory that you get as part of the M 365 E three suite, or the M 365 E E five suite.
But a lot of our core functionality and our core security just comes built in that you get free with office, or you using Azure active directory with Azure, or actually if you just go and stand up for free tenant, you'll get a lot of this great functionality. So you can connect to, to, to many of these apps and get that single sign on. It's not quite announced yet, but we're actually at the moment you can connect to 10 apps per user. Let's just say that in soon, we will be looking at expanding what is available as part of that free tier.
The other big piece that I wanna make sure you are aware of is we have a set of functionality that we call security defaults. This is a set of functionality. That's absolutely free with office with Azure, with any free tenant measured. And this is a, a set of defaults that keeps you secure. It's if you want more control, if you want to be, do more policy based stuff about who has to MFA and where then, then conditional access is the direction you'll need to go. But security defaults. It includes MFA through our authenticator app. It includes some of that adaptive authentication.
So, so that we're, we're ensuring that we're not getting in people's way. And all of that is, is available for free with, with the, the base tier, with the free tier of Azure active directory. So there's a lot of great functionality that you get just, just by default. And then if you want more controls, if you, if you, if you wanna do more policy based stuff, if you're managing at more scale, then that's when you you'd move up to those higher tiers OFD.
Okay.
Alana, thank you. Great. And I think licensing questions always are important because at the end it's about money. So next question. Do I need to have an application delivery control such as C scaler, F five Citrix to manage my on premise applications, this ad. So what do I need to have in place for which types of applications?
Yeah. Yeah.
I mean, if you have you, if you are using F five Zscaler or those, then, then absolutely you can go ahead and use those. Those can provide that functionality for you, but the application proxy functionality that we include as, as part of Azure active directory, it, it provides that secure remote access to, to on-prem apps itself. So you don't need to go and purchase these scale or anything to, to, to enable that scenario.
They're, they're just options that we provide for you that you can choose based on what's best for your organization.
Okay. Next question is Fido or phyto protocols supported in Azure ad?
Oh, we love Fido. So Fido 2.0, we are very, very heavily invested in phyto 2.0, we we're super big on passwords. I don't sorry. We're super big on moving passwordless. And so obviously, integration of windows, hello with Azure active directory. That's that leverages the phyto 2.0 standard. Our authenticator app is moving towards there. Absolutely. We are photo 2.0 is one of our favorite standards.
And, and that's a big investment area as we try and get our entire customer base to move away from passwords. Passwords are kind of the worst combination because they are insecure and people believe they are secure.
So it's, it's worse than them just being bad. So yes, love fighter
And notably it's, it's pretty simple to move at least to two factor authentication in an office 365, Microsoft 365 environment, which builds an ID. And that definitely helps a lot against fishing attacks for instance, cause the second factor is far harder to attack than the first one, as we know.
Yeah, absolutely. And with some of the, some of the fighter work we're doing it, it, it doesn't even feel like an extra step.
I mean, you have a device and then it, it uses the camera to find you, I mean, those are the two factors, but it's not extra steps for you to go through. It's not a text message you have to type in or anything like that. So I really love how we're moving to a world where we can get those additional factors of security without providing additional friction.
Okay. Another question which I believe is a one for, for longer answer, because it's a, it's a large question, so to speak.
So the message you delivered is, is, is compelling for modern SaaS integrations and also the, the user access to legacy stuff with slide with cetera. But what about managing super provisioning and govern governing identities and entitlements directly on more traditional applications where something like the Microsoft manager or still would have been required was already in use?
Yeah.
You know, Mims a great option and you know, the, the Mims part of a product inside our division and built, built by the same team. So Mim continues to be an option for some of some of those scenarios. We are moving to a world where we wanna make sure that that functionality is, is built directly into Azure active directory, and you don't necessarily need additional products.
That's still a journey that we're on, but we're certainly looking at leveraging some of the, the work that has done the provisioning connectors that were built for Mim out to some of those leg legacy systems and repurposing. So that Azure active directory can speak directly to them. That's that's work. We're hoping we can start sharing out in, in over the next, the next couple seasons, but that will allow us to, to do provisioning down in, into those, those on-prem applications.
Some of those, some of those more, more legacy architectures directly leveraging the skin protocol directly from Azure ID.
Okay. The next question is, is probably targeted more towards me. It's about the identity fabric and I have various pieces shown in their capabilities and, and services. And the question is which of these pieces are covered by Azure active directory. So is there a picture to overlay and, and show? And so the one thing I I'd like to, to really emphasize here is the, the, the set of capabilities within an identity fabric is not fixed.
So there are certain capabilities which will be there for every customer adaptive for authentication, multifactor authentication capabilities, life cycle, and for instance Federation. But there also will be potentially capabilities which are higher priority to some customers of no priority to others, to some organizations.
And, and the same is the set of services might vary. So this is sort of the blueprint, which needs to adapt to the specific needs. And so the overlay might be very comprehensive or only covering major areas. And you learn about some of them which are covered, but usually this is done something we do in our advisory, or which can be done based on this picture of an anti fabric, the concept. And there's a bunch of research around anti fabric out already. It could be a call. This can be done pretty easy there a lot. Do you wanna add something here?
No.
I mean, I think, I, I think we're seeing some really interesting advances in how people think about, about these identity fabrics. I think, you know, it's not just authentication anymore. It's growing into what, what traditionally have felt like different industries like MFA and like governance, which we now believe really is a core part of, of those identity, those identity products themselves. I think what you'll find is most of the big blocks that that Martin outlines are, are broadly covered.
What you do need to do is dig into your individual scenarios to find out if exactly your combination of things is, is provided by Azure active directory. You know, the big, the big pieces are, are, are all there.
Okay. So we are at the end of the time for today's webinar, there are few open questions and then we will provide them to Alana for following up directly on questions.
Yeah, absolutely. Which are left open, always a good sign if we have more questions than time. So with that, thank you very much to all the attendants for listening to this cold webinar, hope to see you soon at one of our virtual conferences, one of the other upcoming webinars or wherever else, and maybe hopefully in a, not distant future on some of our on side events again. And thank you very much, Alana and Microsoft for supporting this cold webinar and all the, but you brought it.
