New Azure Releases by Microsoft Include Active Directory Enhancements
Microsoft released multiple Azure products and previews yesterday, with lots of Active Directory improvements.
Improvements to Microsoft's sprawling cloud-based service platform can be hard to follow, especially as the company combines its "general availability" product releases with "preview" test releases in its announcements. Sometimes it's surprising to learn what Azure isn't capable of doing, or its restrictions. Thursday's Azure news followed that trend.
The concise view of this month's Azure releases looks like this (from Scott Guthrie's blog):
- Premium Storage: New Premium high-performance Storage for Azure Virtual Machine workloads
- RemoteApp: General Availability of Azure RemoteApp service
- SQL Database: Enhancements to Azure SQL Databases
- Media Services: General Availability of Live Channels for Media Streaming
- Azure Search: Enhanced management experience, multi-language support and more
- DocumentDB: Support for Bulk Add Documents and Query Syntax Highlighting
- Site Recovery: General Availability of disaster recovery to Azure for branch offices and SMB customers
- Azure Active Directory: General Availability of Azure Active Directory application proxy and password write back support
It's noteworthy that just four new services -- RemoteApp, Media Services, Site Recovery and Azure Active Directory Proxy -- are at the general availability stage, meaning that Microsoft considers them to be ready for a production environment. Everything else is at the test level.
Four New Azure Services
The new Azure RemoteApp service is now backed by Microsoft's service level agreement (99.9 percent uptime). It's conceived for use in mobile scenarios, distributed work environments or for organizations that juggle variable app workloads. Users can access applications over the Internet that run on a virtual machine on top of Windows Server 2012 R2, either located in Azure or on premises or both. It's possible to use Microsoft-created templates, such as the one for Office 365 ProPlus, which gets maintained by Microsoft, or organizations can upload their own application templates. Microsoft outlined the somewhat complex pricing circumstances for using Azure RemoteApp earlier this month.
Media Services is for organizations needing the infrastructure to control streaming media. It's been used by various sports broadcasting companies, for instance.
The Site Recovery improvement refers to the general availability of a Disaster Recovery service for "branch offices and SMB" feature. That's not too clear of a description, but Microsoft claims to have extended its Site Recovery service to serve as a disaster recovery solution "for enabling Virtual Machine replication and recovery between Windows Server 2012 R2 and Microsoft Azure without having to deploy a System Center Virtual Machine Manager on your primary site." It may seem surprising that System Center VMM was a past requirement for using this service. Apparently, it was. A comment by Microsoft MVP Aidan Finn suggested that this Azure improvement was the "most important" one released this month. He noted that it's the small-to-medium businesses that likely will need the Site Recovery service, and they likely may not be big System Center users.
The new Azure Active Directory Proxy service lets organizations provide access to premises-based Web applications over the Internet while using Azure Active Directory services for user authentication. Microsoft added support for Kerberos constrained delegation with this release. Kerberos constrained delegation is a way of controlling which front-end services can delegate to back-end services when authenticating across domains, according to Microsoft's TechNet library explanation. Users authenticating via Azure Active Directory can use this proxy service to "automatically authenticate" for an application housed on a company's servers. IT pros can also set it up so that Azure Active Directory password changes will automatically configure premises-based Active Directory using a new "password writeback" feature. It even works for password resets, too, passing the change from Azure Active Directory to premises-based Active Directory.
Microsoft now lets organization buy access to its Azure Active Directory Premium plan via the Office 365 commerce catalog. That capability, which doesn't require having an Enterprise Agreement, apparently was a much-requested item, according to an Active Directory team blog post, which explains how to set up an account. Microsoft is planning to make the Premium plan available through the Azure portal, too, but it will take "a few more months" before that gets activated, according to the blog post.
Azure Active Directory Preview Releases
The December release included some Azure Active Directory features at the preview level. The No. 1 requested feature, now in preview release, is an "administrative units" capability. It's for large organizations that need to restrict administrative access according to specific regions or business units. That's done by scoping the access. A Microsoft-produced Channel 9 video illustrates the administrative access concept in diagram form here. So far, though, there's no graphical user interface controls for administrative units controls. It's done using PowerShell for now, as explained in the Active Directory Team blog post, which also noted some current limitations.
Another feature at the preview stage is a "question-based security gate for password reset" capability. It allows password resets to be performed by employees who don't have "company-supplied e-mail addresses or phones at work," according to Microsoft's Active Directory team blog post. The security is bolstered by setting up challenge questions for end users.
Microsoft added a preview of the ability to enable single sign-on access to a company's custom Web apps. This password-based single sign-on capability "enables you to manage user access and passwords to Web applications that don't support identity federation," Microsoft explained.
In addition, Microsoft added the ability for an IT administrator to add links to apps listed in the Azure Active Directory Access Panel, which is a Web-based portal that's used by end users for accessing Web applications. Accessing those apps doesn't require single sign-on. Moreover, the apps don't have to be located in the Azure Active Directory application gallery, the Azure team blog explained.
If all of that isn't enough to consider, Microsoft elaborated on its December Azure releases in various company blog posts. Here's a shorter summary of the December releases, along with a list of blogs (likely not a complete one) on the new capabilities:
Microsoft has still another comprehensive tallying of the December Azure releases in this cloud-plus enterprise blog post.