New Active Directory Features in 2017
Microsoft Active Directory is the interface that you use to manage your Windows-based computer network. This includes the management of security through authentication and authorization and the storage of user data that can be accessed easily and quickly to determine the different levels of access for each user on the network. Now that we know what Active Directory is and its intended use let’s discuss some of the new features included in the latest version.
Privileged Access Management
PAM uses Microsoft Identity Manager (MIM) to help prevent identity theft tactics such as pass-the-hash, spear phishing and other types of credential theft attacks. Probably one of the most noteworthy new capabilities of PAM is the ability to temporarily add users to shadow groups so that they only have the permissions of that group for a limited amount of time sufficient to complete their task.
When their time expires, they are no longer in the group and forfeit the rights of that group. New monitoring capabilities are also introduced through PAM that will let admins know who requested access, if the access was given and what activities were performed by the users while they had access.
Extended Cloud Capabilities
Probably the biggest new feature for the cloud is Azure Active Directory Join. This feature allows mobile devices, such as smartphones and tablets, that aren’t usually able to join a Windows domain to register through AD. This allows for centralized management of company-owned devices and provides a way to authenticate the users of these devices and give them access to cloud network resources.
Apps, resources and updates for the devices can be centrally managed and deployed so that the devices adhere to company procedures and policies. This feature is especially valuable to small and medium businesses who have moved mostly or entirely to the cloud and have little to no on-prem resources to manage.
Connecting Domain-Joined Devices
Joining a Windows domain has been the traditional way of connecting network resources for as long as AD has existed. Now with Azure AD for Windows 10, organizations can connect devices to their cloud network environments no matter where the devices are located. Since the devices are authenticating directly to the organization’s network, there is no need for a separate Microsoft ID. The user simply uses their school or business provided user account.
Now the user can take advantage of single sign-on, roaming user settings across different devices, access to the Windows Store without a Microsoft account, strong authentication through Windows Hello and the ability for organizations to restrict access only to devices that comply with Group Policy settings.
Microsoft Passport for Work
Active Directory now provides two-factor authentication using Microsoft Passport for Work in conjunction with Windows Hello for Business. Passwords alone have become an unreliable method of authentication as a result of more creative methods of identity hacking. Two-factor authentication is the most current method for protecting user accounts and restricting access to network resources.
Enabling Windows Hello generates a key that is stored on another device such as a phone or tablet. The user logs into their machine or terminal using their password just as they usually would, and then a notification is sent to a mobile device. The user then approves the login on the mobile device by entering their PIN number, using a gesture known only to them or issuing their biometric signature. The use of a fingerprint reader, face recognition or maybe even a retinal scan could be used to issue a biometric verification.
All of these new features serve to make Active Directory better equipped to handle the security and management of today’s modern network configurations. With identity theft at an all-time high and more and more organizations moving their corporate infrastructure either partially or completely to the cloud, these features make AD the most capable network management system available.
These features allow Windows-based networks to take advantage of the latest technologies, such as Cloud Computing, Virtualization, Software as a Service and mobile devices. These concepts didn’t even exist when AD was first created, but it has done a wonderful job of growing to accommodate these new concepts and emerging resources.
If you’re looking to learn more about Active Directory features or are looking to strengthen your skills, consider a training and certification with ONLC. We have over 300 classroom locations for your RCI learning needs. Contact us today for details or to learn more about certification deals and bundles.