In-Depth

Microsoft Readies Windows Azure AD

Latest beta aims to ease management tasks tapping Microsoft services.

• By Kurt Mackie
• 01/04/2013

The improved federation capabilities in Windows Azure, announced in late November, promise fewer hassles for the numerous enterprises that use Microsoft Active Directory to manage both premises-based and cloud-based access to applications. Windows Azure will support single sign-on capabilities in conjunction with AD on Windows Server for domain-joined machines. While the company hasn't set a release date for Windows Azure Active Directory, Microsoft said it will be offering access control in the cloud-based version free of charge upon release.

"If you're building a service in Windows Azure, you can create your own tenant in Windows Azure and create users, and we let you manage those users, who can be connected to your cloud services," says Uday Hegde, principal group program manager for Active Directory at Microsoft. Furthermore, Hegde says Windows Server customers running AD on-premises can connect to Windows Azure Active Directory and make use of all its features.

As a consequence, IT pros can now connect users to Windows Azure services by using the permissions that they've already set up with AD on their premises-based Windows Server installations. That includes support for the new Dynamic Access Control (DAC) features in Windows Server 2012, Hegde says.

End users benefit from the new capability as well by not having to face multiple sign-in portals when accessing cloud-based apps. In essence, the new federation capability links AD changes between Microsoft server and cloud environments. So, for instance, if an IT pro removes an employee via AD in the local environment, then that change will cut off the employee's access to cloud-based applications.

The new federation improvement also extends to setting password policies. Changes made at the local environment using AD will affect the Windows Azure Management Portal password settings. User identities and passwords don't leave the local environment but instead get processed on-premises, according to Microsoft.

One Small Step
IT pros will get simpler management from this federation capability, according to Rob Sanfilippo, an analyst with the Kirkland, Wash.-based Directions on Microsoft.

"The users that will realize a benefit from on-premises Active Directory federation with the Windows Azure Management Portal are developers working on Windows Azure-based projects and IT personnel that manage an organization's Windows Azure deployments," Sanfilippo says. "These users will gain the convenience of using their on-premises Active Directory credentials to access the Windows Azure Portal, which can eliminate the need to manage a separate Microsoft account for that purpose.

"Also, Microsoft accounts are geared more toward consumers, so providing Active Directory account access to Windows Azure is a step forward for organizations that need to manage identities that work with Windows Azure, by giving them tighter control over which users can access organizational Windows Azure accounts and deployments."

In the larger world of federation services providers, Microsoft's new capabilities won't likely obviate the need for the growing cadre of Identity Management as a Service (IDMaaS) providers, adds Andras Cser, a principal analyst on security and risk at Forrester Research Inc.

Indeed, Centrify Corp. last month launched DirectControl for SaaS, a Software as a Service (SaaS) iteration of its identity management offering that extends AD to hundreds of other applications, services and platforms. And IDMaaS provider Okta Inc. last month also received a $25 million round of Series C funding led by Sequoia Capital, bringing the total amount it has raised to $52 million.

"Microsoft's offering won't push these players out of their market, because Microsoft solutions usually mainly support Microsoft infrastructure only," Cser says. "Microsoft is usually not taken seriously in IAM [identity and access management] contexts. FIM [Forefront Identity Manager] has been out for a number of years without significant enterprise adoption. These other players -- Okta, Symplified, Ping Identity and others -- are moving toward and becoming full-fledged identity 2.0 cloud providers."

Support for Other Products
Cser does believe the new Microsoft federation capability will help organizations that support Bring Your Own Device (BYOD) scenarios. "This step will definitely accelerate adoption of BYOD strategies," he says. "Microsoft has been increasingly realizing that it needs to do something about cloud and non-PC devices."

Microsoft uses Windows Azure Active Directory with a number of its services, including Windows Azure itself and all of its Office 365 services. Windows Azure Active Directory also is used with the Microsoft Windows Intune PC management service, as well as the Windows Server Online Backup service, which is a Windows Azure-based service for backing up Windows Server 2012 or Windows Server 2012 Essentials.

Microsoft claims to have processed more than 200 billion authentications via Windows Azure since its cloud-based authentication service was launched about a year ago.