Extending device support in Active Directory

First published on CloudBlogs on Jul, 10 2013 the Microsoft Azure Active Directory Team

Hello folks. This is Uday Hegde from the Active Directory product team at Microsoft. I'm the Group Program Manager in Alex Simons' team who is responsible for Windows Server Active Directory.

Hopefully by now, you've downloaded your copy of the preview build of Windows Server 2012 R2 and have started using some of the new capabilities we've added to Active Directory in this release. If not, you can download the preview from here . Now that the build is available, I am excited to share some of the details of these new capabilities with you.

In the Active Directory team, one of our big focus areas for the last year has been to give companies the tools and technologies they need to be successful in navigating the industry wide trends toward Consumerization of IT and Bring Your Own Device (BYOD). These efforts are part of Microsoft's People Centric IT vision. You can read more on that and related technologies in today's blog post from Brad Anderson: Making Device Users Productive and Protecting Corporate Information .

In Windows Server 2012 R2, we have added a new suite of capabilities to Active Directory that give end users the ability to use their devices to work from anywhere, while giving IT professionals the tools and technologies they need to effectively govern access to their applications, data, and resources that may be in an on-premises datacenter or located in a variety of cloud services.

This new suite of capabilities include:

1. Workplace Join:

   Workplace join is a new feature of Active Directory. It allows users to securely register their devices with your company directory. This registration provisions the device with a certificate that can be used to authenticate the device when the user is accessing company resources. By using this association, IT professionals can configure custom access policies to require that users are both authenticated and using their Workplace Joined device when accessing company resources.

   Workplace Joined devices can also be used as a seamless second factor of authentication so users do not need to supply anything beyond their normal credentials to confirm their identity.

   At launch, Workplace Join will support Windows and iOS devices. We will extend this support to other device platforms in the near future.

2. Single Sign-On (SSO):

   SSO is the ability for an end user to sign-in once when accessing an application provided by their company and then not be prompted for their sign-in information again when accessing additional company applications.

   Active Directory has always provided this capability for domain joined PC's. In Windows Server 2012 R2, we are extending this capability to Workplace Joined devices. This will improve the end user experience, while avoiding the risk of having each application store user credentials. This has the additional benefit of limiting the opportunities for password harvesting on personal or company owned devices.

3. Work from anywhere:

   Today's employees are mobile and expect to be able to access the applications they need to get work done wherever they happen to be. Companies have adopted multiple strategies to enable this using VPN, Direct Access, and Remote Desktop Gateways. However, in a world of Bring Your Own Device, these approaches don't offer the level of security isolation many customers need. To help meet this need, we have added a "Web Application Proxy" role service to our Windows Server RRAS (Routing and Remote Access Service) role. This role service allows you to selectively publish your enterprise Line-of-Business web apps for access from outside the corporate network.

   For those of you who are already familiar with Active Directory Federation Services (AD FS), the Web Application Proxy is an extension of the AD FS proxy. In addition to being a proxy for authentication traffic, this role service is now also a proxy for web application payloads.

   Additionally this proxy can perform pre-authentication at the edge of the network before admitting any application traffic into the corporate network. By using pre-authentication, you can control traffic to your backend applications, for example, requiring them to originate from Workplace Joined devices and/or from specific users.

4. Multi-Factor authentication (MFA):

   To make this all work in a secure, reliable way, we wanted to make it easy to limit the risks associated with compromised user accounts. In Windows Server 2012 R2, we've made it much simpler to implement multiple factors of authentication using Active Directory. We have built a plug-in model so that you can plug different multi-factor authentication solutions directly into AD FS.

   If you are interested in trying this out, we strongly encourage you to consider the PhoneFactor service which has been extensively used and tested. As part of the Windows Server 2012 R2 Preview, the PhoneFactor service (code named Active Authentication) is being made available for use with the AD FS plug-in at no cost for up to 25 users and 500 authentications a month. (To continue using the service after the preview has ended or to add additional users, you will need to purchase the service).

   You can configure MFA in AD FS on a per-service basis, and we recommend that you configure MFA on the Device Registration Service in AD FS. The Device Registration Service enables users to Workplace Join their device, and as mentioned earlier, you can use the device authentication provided by the Workplace Joined device to implement a seamless second factor authentication for your users. Securing the device registration by requiring MFA for Workplace Join will provide you with a higher degree of assurance of the user's identity when they are registering their device in your company directory.

5. Multi-Factor Access Control:

   Multi-Factor Access Control is a new capability that lets IT professionals deliver compelling employee productivity and application security using a policy based access management solution.

   With Multi-Factor Access Control, IT professionals can create application specific access control policies using multiple criteria, such as the identity of the user, the identity of the device, whether the access is coming from the intranet or the extranet, and if any additional authentication factors were used to authenticate the user.

   Using this, you will be able to protect your on-premises web resources as well as services that you have subscribed to in private or public clouds, all without any changes to your backend servers or cloud services!

6. OAuth 2.0 support:

   If you follow our blog, you know that we are big supporters of OAuth 2.0 and have already released a developer preview of our new OAuth 2.0 authentication end-point in Windows Azure AD.

   Now I'm pleased to let you know that we have also added OAuth 2.0 support in Active Directory Federation Services in Windows Server 2012 R2. In addition to adding OAuth 2.0 support, we have also extended our Active Directory authentication library ( read more here ) to support AD FS. With these updates, the AD authentication library can be used by your applications irrespective of whether they depend on Windows Azure Active Directory or Windows Server Active Directory for authentication.

   Using this library makes it simpler to integrate with our Single Sign-On value from Workplace Joined devices, as well as integrate with your Multi-Factor Access Control policies.

While some of these features will show up only in Windows Server 2012 R2 Active Directory available in the preview right now, we are already working to make them available consistently across both Windows Server Active Directory and Windows Azure Active Directory. So you can expect more news on this topic in the near future.

We hope you will find our work in this area compelling in dealing with the key trends facing the industry and your company. Here are some additional pointers that are available for you as you try out these capabilities with the preview today. To see the other posts in the People Centric IT series, check out the What's New in Windows Server & System Center 2012 R2 archive.

I'm looking forward to receiving any feedback or suggestions you have on these enhancements.

Uday Hegde

Twitter: @Uday_S_Hegde