News

Windows Azure AD Now Federates with Windows Server

• By Kurt Mackie
• 11/28/2012

Microsoft announced today that Windows Azure's federation capabilities now support single sign-on capabilities in conjunction with the use of Active Directory (AD) on Windows Server.

The addition of this capability likely will simplify management tasks for IT pros. It also will make it easier for end users to tap services delivered via Windows Azure without having to face multiple sign-in portals. IT pros can connect users to Windows Azure services by using the permissions that they have already set up with Active Directory on their premises-based Windows Server installations.

Rob Sanfilippo, an analyst with the Directions on Microsoft independent consultancy, sees the integration as beneficial for independent software vendors and IT pros managing Windows Azure.

"I think this is a useful addition to Azure's capabilities, but I would stop short of calling it a major breakthrough," Sanfilippo stated via e-mail. "The users that will realize a benefit from on-premises Active Directory federation with the Azure Management Portal are developers working on Azure-based projects and IT personnel that manage an organization's Azure deployments. These users will gain the convenience of using their on-premises AD credentials to access the Azure Portal, which can eliminate the need to manage a separate Microsoft Account for that purpose. Also, Microsoft Accounts are geared more toward consumers, so providing AD account access to Azure is a step forward for organizations that need to manage identities that work with Azure by giving them tighter control over which users can access organizational Azure accounts and deployments."

The new Windows Azure Active Directory federation capability is available effective today, according to Microsoft's announcement. Microsoft uses its Windows Azure Active Directory capability with a number of its services, including Windows Azure itself and all its Office 365 services. Windows Azure Active Directory also is used with Microsoft's Windows Intune PC management service, as well as Windows Server Online Backup. The Windows Server Online Backup service is an option to add backup security for those running Windows Server 2012 or Windows Server 2012 Essentials.

Microsoft claims to have processed more than 200 billion authentications via Window Azure since its cloud-based authentication service was started last year. The authentication process happens when user login requests are sent to Windows Azure Active Directory. Federated identity refers to the process of using a management system on premises to create a single sign-on capability. Single sign-on lets users log in once to access applications or services that might not be locally housed.

The Windows Azure Active Directory federation capability lets IT pros tie access to Windows Azure services to the employee's status in the Windows Server Active Directory. So, removing an employee via Active Directory in the local environment will cut them off from accessing the Windows Azure Management Portal.

In addition, password polices can be set through Windows Server Active Directory, which will affect the Windows Azure Management Portal. That includes setting various password options in Active Directory, such as setting up two-factor authentication. User identities and passwords are processed at the organization's local Active Directory, so they aren't shared with, or validated at, Microsoft's cloud, according to Microsoft's announcement.

The federation process happens between domain-joined machines. IT pros can bypass some sign-in screens by appending the organization's domain name URL to the Windows Azure Management Portal's URL. Those details are outlined in Microsoft's announcement.