In-Depth

Manage Identities in the Cloud with Windows Azure Active Directory

The Microsoft offering bridges single sign-on technology from the datacenter to the cloud.

Over the past decade, enterprises of all sizes have standardized on Microsoft Active Directory for managing user identity and authentication and setting Group Policies. This is largely due to Microsoft's long-ago decision to bundle Active Directory with Windows. The ubiquity of Windows Server and Exchange,along with the robust Active Directory identity management infrastructure, have made Active Directory the choice of enterprise IT decision makers to securely front-end their networks. Now Microsoft is repeating that formula in the cloud with its new Windows Azure Active Directory (WAAD).

Released in April, anyone can provision a WAAD tenant for his organization running in Windows Azure by simply going here.

Just like Microsoft provides Active Directory free with Windows Server, the company is offering WAAD at no charge to organizations using Windows Azure or Office 365 (which includes Exchange, SharePoint and Lync Online), as well as any of the company's other cloud offerings such as Windows Intune and Dynamics CRM Online.

Will enterprises take to WAAD as they did to Active Directory? That remains to be seen. It's not the only source of user-identity management -- stakeholders ranging from Salesforce.com Inc. to Google Inc., Oracle Corp., Amazon Web Services Inc. and even Facebook, among others, have their eyes on managing user identities. But the installed base of Active Directory makes WAAD a strong contender, especially for Microsoft-based infrastructure, services and software.

Today 90 percent of Redmond magazine readers say Active Directory is their primary store for user identity and authentication. Remarkably, that number will rise to 94 percent over the next two years, according to 1,128 respondents in a recent readership survey.

"Pretty much everyone has got Active Directory," says independent consultant and speaker Mark Minasi, an expert in Windows infrastructure. "It really is the security infra­-structure. It's like electricity or dial tone."

Billions Served
Just two months after releasing WAAD, Microsoft says it's already a success. Brad Anderson, corporate VP of the Microsoft Windows Server and System Center group, says WAAD has processed 265 billion authentication requests from around the world. It services more than 1 million authentication requests in a period of two minutes, or 9,000 per second. Customers have created more than 420,000 unique domains, according to Anderson, who talked up WAAD in his keynote address at last month's annual TechEd 2013 conference, held in New Orleans.

"Everything starts with the identity of that user inside of Active Directory," Anderson said. "We can extend your capabilities of Active Directory to the cloud with you in complete control about what you want to have appear inside that [Windows] Azure Active Directory."

The appeal of WAAD is it provides single sign-on (SSO) to or from the on-premises version of Windows Server Active Directory, according to Anderson. "Windows Azure Active Directory is really just extending your Active Directory out to the cloud," said Anderson, in an interview with Redmond.

While extending Active Directory to the cloud is a natural extension, it also was a much-needed upgrade for Windows Azure, especially now that the Infrastructure as a Service (IaaS) option is available. Rather than using the now-defunct Live ID (once called Passport but now referred to as simply a Microsoft account) to access Windows Azure, users can now authenticate with the same Active Directory credentials they have on-premises.

The WAAD Portal
When admins log in to the Windows Azure portal, it now has an Active Directory tab. Clicking that tab creates an enterprise directory, which prompts you to establish a domain name and create an Active Directory instance in Windows Azure. Just like the on-premises version, WAAD lets you manage user identities and control security access rights to apps and internal resources. It also lets you map the DNS to any domain.

WAAD evolved from the Access Control Service (ACS) in the Windows Azure AppFabric, a collection of components Microsoft has since decoupled. Because the AppFabric (as a collection of services) is no more, Microsoft has shifted ACS to WAAD.

ACS effectively federates identities from external sources, notably on-premises Active Directory, but also external providers such as Google, Yahoo! and Facebook. Microsoft says other external providers are in the works.

"It's basically like Active Directory on-premises, except running out in the cloud," says Eric Boyd, a Windows Azure MVP and CEO of responsiveX, a consulting firm based in Chicago. "It's central to the Microsoft cloud services. Now, instead of using a Live ID for your Windows Azure management portal, you can create your Windows Azure subscription using the Windows Azure Active Directory store."

With the rapid growth of Office 365, that means IT can take Active Directory running in the datacenter and sync it to the cloud using a tool called DirSync, which populates the WAAD instance that also underlies Office 365. This enables a customer to use those identity objects from Active Directory for Windows Azure, versus creating a bunch of Windows Live ID accounts. With the latter option, administrators were unable to centrally manage those accounts from Active Directory.

Graph API
"It's becoming a central identity component for Microsoft cloud services," Boyd says of WAAD. "Basically, as a developer, I can tap into that and do my own authentication against the Windows Azure Active Directory account; I can navigate the directory store using the REST-based Graph API. So if you're familiar with the Facebook Graph API, there's a Graph API for Windows Azure Active Directory as well, where I can navigate the hierarchy, or organizational structure, if you will."

The appeal of the Graph API in WAAD is it provides a queryable social graph that proponents say is much easier to work with than Lightweight Directory Access Protocol (LDAP), the Internet directory-access standard that all major directories support, including Active Directory.

"It's not nearly as complicated as working with LDAP and understanding what organizational units and domains and all that other stuff is," explained Michael Collier, a Windows Azure MVP and a principal cloud architect at Aditi Technologies, during a talk for developers at the recent Visual Studio Live! conference in Chicago (which, like Redmond magazine, is produced by 1105 Media Inc.).

"This is a very easy Graph -- all REST-based -- API, to walk through to get information about the user," Collier said. "You'll get that XML logic coming up as well. The nice thing about this is it's easy to access from any platform or device that you're working with. It doesn't have to be just Web applications, it can be Windows Store applications, mobile apps and anything that's REST-based."

While one of the attractive features in WAAD is that IT organizations can import identities from Windows Server Active Directory instances using DirSync, Microsoft doesn't pretend to suggest the two directories are identical. When running on-premises in Windows Server, Windows Server Active Directory includes Active Directory Domain Services (ADDS), Active Directory Lightweight Directory Services (AD LDS), Active Directory Federation Services (AD FS), Active Directory Certificate Services (ADCS) and Active Directory Rights Management Services (AD RMS).

Right now WAAD only offers ACS, the critical component for access control, which uses DirSync to connect to Windows Server Active Directory and external providers. "Windows Azure Active Directory doesn't have the ability to manage printers and devices and support Group Policy like Windows Server Active Directory," Collier noted. "It's more targeted around users, authentication and properties for those users."

Patrick Harding, CTO of Ping Identity Corp., believes over time WAAD will become a key method of cloud authentication. But Harding believes organizations will need third-party tools like his company's PingOne SSO cloud-based service, which has identity providers that connect to a wide swath of Software as a Service (SaaS) and enterprise software solutions.

"I think we're in for a significant period of time where Active Directory and WAAD will be working together, and they need to be synchronized," Harding says, adding that customers complain DirSync, while serviceable, has limi­tations. He explains: "Ping is focused on providing a robust directory-synchronization tool that can not only synchronize Active Directory with WAAD but with other cloud services as well. This is going to be quite important."

PingOne doesn't yet have connectors to WAAD, nor does another recently released tool, Centrify for SaaS & Apps from Centrify Corp. -- though Centrify does plan to support it.

"We see there will be increasing usage of Windows Azure Active Directory over time," says Cory Williams, Centrify senior director of product management. Williams and others also point to the absence of a key feature offered in the on-premises-based version of Active Directory: Group Policy.

"You can't join your machines in your domain to a Windows Azure Active Directory like you do an Active Directory on-premises," says Boyd, of responsiveX. While his customers have indicated they'd like to see Group Policy in WAAD, Boyd is urging them not to expect it any time soon. "There are certainly challenges with doing that, if that's the only source of authentication for your company," he says.

Microsoft's Anderson is non-committal. "I see doing a much more light version of Group Policy, but right now we're delivering that through Windows Intune," he says. "So think about these things as all interrelated and things we're building on together. So as we think about [Windows] Azure Active Directory and Intune, we're doing common planning and engineering milestones across those two things."

comments powered by Disqus
Upcoming Events

Redmond Tech Watch

Sign up for our newsletter.

I agree to this site's Privacy Policy.