- Privileged access management (PAM)
- Extending cloud capabilities to Windows 10 devices through Azure Active Directory Join
- Connecting domain-joined devices to Azure AD for Windows 10 experiences
- Enable Microsoft Passport for Work in your organization
- Deprecation of File Replication Service (FRS) and Windows Server 2003 functional levels
Microsoft Passport is a new key-based authentication approach organizations and consumers, that goes beyond passwords
Azure Active Directory Join enhances identity experiences for enterprise, business and EDU customers- with improved capabilities for corporate and personal devices.
provides a new administrative access solution that is configured by using Microsoft Identity Manager (MIM). PAM introduces:
A new bastion Active Directory forest, which is provisioned by MIM. The bastion forest has a special PAM trust with an existing forest. It provides a new Active Directory environment that is known to be free of any malicious activity, and isolation from an existing forest for the use of privileged accounts.
New processes in MIM to request administrative privileges, along with new workflows based on the approval of requests.
New shadow security principals (groups) that are provisioned in the bastion forest by MIM in response to administrative privilege requests. The shadow security principals have an attribute that references the SID of an administrative group in an existing forest. This allows the shadow group to access resources in an existing forest without changing any access control lists (ACLs).
An expiring links feature, which enables time-bound membership in a shadow group. A user can be added to the group for just enough time
required to perform an administrative task. The time-bound membership is expressed by a time-to-live (TTL) value that is propagated to a Kerberos ticket lifetime.
KDC enhancements are built in to Active Directory domain controllers to restrict Kerberos ticket lifetime to the lowest possible time-to-live (TTL) value in cases where a user has multiple time-bound memberships in administrative groups. For example, if you are added to a time-bound group A, then when you log on, the Kerberos ticket-granting ticket (TGT) lifetime is equal to the time you have remaining in group A. If you are also a member of another time-bound group B, which has a lower TTL than group A, then the TGT lifetime is equal to the time you have remaining in group B.
New monitoring capabilities to help you easily identify who requested access, what access was granted, and what activities were performed