In-Depth

Scenarios To Consider Before Adopting Azure Active Directory

• By Kurt Mackie
• 08/21/2015

Organizations considering the use of Microsoft's Azure Active Directory (AD) services need to examine some complex scenarios that involve user management, authentication and on-premises app support.

That complex message was outlined by Mark Diodati, a research vice president at Gartner Inc., at Gartner's Catalyst event, which took place this month in San Diego. He described how to decide among various Microsoft Azure AD technologies in his talk, "Adoption Considerations for Microsoft Azure Active Directory." In his session, Diodati also alluded to some emerging Microsoft technologies, such as "Azure AD as a Service," "Azure Domain Compatibility Service" and an "Azure B2C Service" that possibly are yet to come.

Microsoft's identity and access management (IAM) strategy has mostly been playing out in the cloud with its Azure AD service. There have been few enhancements to its premises-based AD solution. The Workplace Join capability for Windows client devices, as enabled through Windows Server 2012 R2, was the one premises-based AD improvement that Microsoft has rolled out in recent times, Diodati noted.

Azure IAM Components
Microsoft has three components that power its Azure IAM solutions. The first component is its Azure cloud computing services, which serve as Microsoft's infrastructure-as-a-service (IaaS) solution. The second component is Azure AD Premium, which Diodati described as Microsoft's "Identity Management as a Service" offering (abbreviated as "IDaaS"). Microsoft's IDaaS provides IAM services for Azure services that are built on the Azure platform. Lastly, Microsoft makes what Diodati called "identity bridge" solutions. An identity bridge is an on-premises component that's used to synchronize local directories to Microsoft's IDaaS and enable single sign-on to IDaaS. Microsoft's identity bridge solutions can bridge Kerberos and LDAP to JSON over REST, as well as SAML.

Other Microsoft IAM components include Azure AD Connect, which has the task of creating users by syncing them from premises-based environments to Azure AD. Also, Microsoft's Azure AD Federation Services (ADFS) works on premises to enable single sign-on (SSO) connections to Azure AD. Microsoft also has its Azure AD Application Proxy Service, which enables SSO capabilities for apps housed on premises, particularly apps that are Kerberos driven.

Diodati outlined three main categories to consider when assessing the use of Azure AD. Organizations should consider user management capabilities, user authentication and SSO, and the handling of on-premises applications.

User Management Considerations
Organizations that are all in the cloud, with no on-premises AD, are all set in terms of user management. Diodati said that Azure AD has a semicapable console for the purpose. Another way to manage users at scale is to leverage Azure Graph APIs, which have GET, PUT, POST and DELETE operators.

However, most organizations will have an on-premises AD environment in place. These organizations will need to use an identity bridge for their user management operations. The identity bridge acts to monitor an AD environment and will detect any changes. The benefit of using an identity bridge is that it can transparently extend user management capabilities to get into Azure AD IDaaS.

Organizations considering Azure AD should take a few steps to assure support for user management capabilities. First, they should resolve forest trust issues on premises. Next, they should clean up their local AD before using Azure AD. Gartner recommends using Microsoft's free IdFix tool to identify and fix any inconsistences, such as oddities in the way users were named. If necessary, organizations should consider using a virtual directory solution to enable runtime consolidation of multiple, heterogeneous user directories.

In addition, organizations should support user management by using the right identity bridge for directory synchronization with Azure AD. Organizations should select Azure AD Connect as the identity bridge solution if Azure AD manages all SaaS app users or if Azure password sync or writeback is used. Organizations should select a third-party app as the identity bridge solution to carry out user management and SSO, or if the organization has multiple, heterogeneous user directories.

Organizations can also leverage Azure Graph APIs to manage users. PowerShell cmdlets can be used, too, but it depends on the user management tasks that need to get done, Diodati said.

Azure Virtual Machines
Another management option is to install a version of AD into an Azure Virtual Machine, which requires an on-premises AD to work. However, there are lots of challenges with this approach. You don't have access to on-premises AD users. There are difficulties with private networking and firewalls. And you need domain controllers for the Virtual Machines.

Gartner advises making an assessment before trying the Azure Virtual Machine route. If organizations have applications that require AD-type services, then they should wait until Microsoft rolls out something new that Diodati called the "Azure Domain Compatibility Service." They should only proceed with the Azure Virtual Machine route if they have apps that absolutely require AD-type services.

Diodati added that Microsoft will be coming out with new technology that he called "Azure AD as a Service." It supports user store, Kerberos and Group Policy, but it also has some narrow aspects of a virtual directory. He didn't elaborate.

Authentication and SSO Considerations
Azure AD can be used to provide authentication and SSO access for employees, partners and customers. Organizations should decide if they want to enforce the use of passwords, SSO or both. Organizations should use both to support anywhere access.

Many small-to-medium businesses use password sync for authentication with Azure AD, which requires having Azure AD Connect in place. ADFS may be the tool to use if Azure AD is used for all authentications. In general, federated identity provides better security and SSO for on-premises users.

Organizations should use third-party tools if they want a single bridge solution for both user management and authentication/SSO or if they are using SSO with SaaS applications on premises. Another case for third-party tools is support for Web access management systems.

Authenticating with consumer users in a business-to-consumer (B2C) scenario is a special case. It means supporting social media logins, such as those of Twitter and Facebook. Diodati said using Azure AD for these B2C cases may require a fair amount of customization to work today. He recommended waiting for "Azure's new B2C service" before trying to enable it.

On-Premises App Handling
Integrating on-premises apps, such as Web apps, with Azure AD requires using Azure AD Application Proxy. That means installing the Azure Application Proxy Connector on premises, which functions like a reverse-proxy server. The on-premises Web apps then get published via the Azure AD portal.

If an organization is only using Azure AD, then the use of the Azure Application Proxy might be great. Another case for using Azure Application Proxy is if the on-premises apps are Kerberos based. Third-party solutions should be considered when there are mixtures of users coming from other IDaaS environments or if there's a need for SSO with non-Kerberos apps.

Diodati's 45-minute talk at Gartner Catalyst was quite nuanced. It's currently available on demand for Catalyst attendees and Gartner clients.