Success with Hybrid Cloud: Getting deep – Azure Active Directory

First published on CloudBlogs on Mar, 11 2014

In this installment of the Success with Hybrid Cloud series, I want to look at how organizations can address a very common scenario: Each of the apps your organization uses (whether on-prem or in a public cloud) requires different authentication mechanisms. In this scenario, anyone who wants to use these apps must remember a variety of different user accounts and passwords.

The downside of a scenario like this is all too familiar:  Every time you want to stream a video or buy a book online you find yourself dreading the “I forgot my password” button or, even worse, the “I forgot my username” link. In a workplace setting, challenges like these are further compounded by the settings of a device you are using as well as the business services you need for work. All of this can get really painful, really fast.

The solution is a Single Sign On (SSO) capability that allows your users to login with one ID and password (or even a Multi-factor Authentication ). That solution can be found in Azure Active Directory (AAD).

AAD services over 12 billion authentications per week from more than 1.4 million businesses, schools, government agencies, and non-profits – and there are 240+ million user accounts in AAD from over 127 countries. AAD is chosen because it provides the scale, performance, and geographic reach to enable access to apps and data to any user, on any device, from any location.

Azure Active Directory

In recent years, a number of companies have spent massive amounts of money developing on-prem identity and access management solutions without actually solving the SSO problem. Every help center and IT department on earth can confirm this. The result is a lot of unhappy end users and a lot of over-worked IT teams – and all of that means huge pressures placed on IT Pros to find a simpler solution. The solution needs to understand what apps are being used within an infrastructure, how they are being used, and how to manage them.

One possible solution is a federation with each and every one of those cloud-based applications. The challenge with that approach is that not all apps use the same protocols or standards when it comes to identity management. This can make federation really difficult.

What organizations really need is a hub that can do four key things:

  • Sync with their on-prem Active Directory.
  • Seamlessly connect with a variety of cloud applications.
  • Integrate with various web protocols.
  • Scale around the globe to authenticate users in any location, from any device, in a way that integrates simply with their existing identities.

With more than 95% of Fortune 1000 organizations using Windows Server Active Directory on-prem, the industry would likely prefer not to reinvent the wheel or recreate all of their identities. The good news is that they don’t have to because this is exactly what AAD provides in a secure and comprehensive way . AAD combines directory services, advanced identity governance, application access management, and a developer’s identity management platform.

Let’s look at 4 key scenarios for AAD that organizations of all sizes will likely face as they manage identities in the public cloud:

  • Many applications, one identity repository.
  • Managing identities and access to cloud applications.
  • Monitoring and protecting access to enterprise applications.
  • Personalizing access and self-service capabilities.
Many applications, one identity repository

AAD allows you to sync with the on-prem Windows Server Active Directory using DirSync combined either with Active Directory Federation Services (ADFS), or, alternatively, with password hash sync . This helps configuring SSO, but, to make SSO even easier, the most popular cloud apps are already pre-integrated in the application gallery – regardless of the public cloud where they’re hosted. This kind of integration goes way beyond simple compatibility .

We have also preconfigured all the parameters needed to federate with these clouds, and we’ve even created an application gallery so that an administrator can select the cloud applications their enterprise is already using and configure SSO accordingly.

AAD also provides developers with a way to integrate identity management in their new apps. Now a developer can build an application on any platform (.Net, Node, Java, etc.) and host it in any cloud, and leave the identity management to AAD. The Access Control Service provides the authentication for identities hosted in Azure Active Directory or even social logins like Microsoft accounts (Live ID), Facebook, Yahoo, Google, and many others.

Managing identities and access to cloud applications

Once identities and applications are gathered into one identity store, the next step is to find an efficient way to manage them, as well as their interconnections. The Windows Azure Management portal contains a section specifically for AAD administration, and through this portal you can take your custom LOB apps (or ones purchased from a vendor) and enable them for SSO. AAD makes the life of an admin a lot easier by providing a number of popular pre-integrated SaaS applications.

Whenever someone is hired, there are a lot of different steps an admin must take in order for the new employee to have all the required access to company apps and data. When a person leaves the company there are even more steps. Rather than spending so much time on these manual processes, provisioning and de-provisioning to the SaaS apps that AAD offers is rapid and secure. AAD also ensures that a user can access only those apps required to do that specific job. When a new identity is created, after the synchronization with the on-premises AD, the administrator can provide access, SSO, and provision the new user to a pre-integrated SaaS app – all in a single procedure.

Monitoring and protecting access to enterprise applications

At any stage in this process, you’ll likely be thinking a lot about your potential exposure to risk. We think a lot about this too, and that’s why AAD is based on Trustworthy Computing principals and security is a foundational part of its architecture.

For example, Microsoft does not store any user passwords from the synchronized on-prem identities. Additionally, all access attempts are monitored and can be displayed via a basic set of reports that can track inconsistent access patterns (unknown source logins, multiple failed logins, or logins from multiple geographies). These reports allow you to have the insight necessary to improve access security, respond to potential threats, and make decisions about other ways to mitigate risks (like Multi-factor Authentication ).

Personalized access and self-service capabilities

When administrators assign access to pre-integrated SaaS applications from the Windows Azure Portal (as described earlier), shortcuts to these apps are displayed, for every user, via a single personalized web page that is hosted on Windows Azure. This eliminates the need for users to remember how to access every app whenever they need to use it.

With Access Panel every user has a personalized view of their apps (see image below), and admins can view the Access Panel from any device. Access Panel can also be customized with an organization’s logo/colors to make the user experience is seamless. The self-service password reset and self-service group management functionality are also found here.

Find out more

To find out more about Azure Active Directory and learn about all of its capabilities, I recommend checking out these sites: