First published on TECHNET on Sep 05, 2013
Windows Azure Active Directory
originated for the Office365 Suite of Services which includes Exchange Online, SharePoint Online, Lync Online.
is an identity provider for organization-owned identities which are hosted purely in the cloud as well as a federation provider for identities that a customer prefers to host in their on-premises Active Directory. Unlike
(formerly Windows Live ID), OrgID and WAAD are specifically focused on scenarios where the identity is not owned by an individual, but by an organization (company, university, etc.) in which an administrator has rights to manage the ID. If you want to learn more about Windows Azure Active Directory refer to the documentation and learning materials here
What does this have to do with
System Center Advisor
? Well, many Enterprise customers we have talked to had expressed a desire to use their corporate credentials to log on to Advisor, just like they log on to Outlook on Office 365. Some other organizations have set up Windows Azure Active Directory (formerly Microsoft account for organizations) to take advantage of
another attached service to System Center Operations Manager: Global Service Monitoring
. We feel that organizations want to use Organizational accounts, not Microsoft accounts – when it comes to access to corporate data such as the configuration data that Advisor helps you manage.
We listened to you, and we now made it possible: we allow organizations to grant their WAAD users and security groups access to
System Center Advisor
, without going thru the more ‘personal’ email invite verification pattern we employed with Microsoft accounts. But no worries: if you want to continue using your Microsoft account and not migrate to Windows Azure Active Directory, you can continue to do so as well. We give you choices.
From the choice we present, the most common navigation path will be customers creating a new account, and right away choosing to use an Organizational account as opposed to a Microsoft account. After you have logged on to WAAD, in order for Advisor to ‘trust’ your Active Directory token, you need to grant access to Advisor to your AD. This allows our service to do things like look up/verify the validity of a username or a group within your AD, and understand whether the user who’s trying to log on is member of a given group – in order to allow access or not to that identity. This is a one-click step, which WAAD calls the ‘consent’ page, that must be performed by a
of your AD.
Why is this step necessary? The step is entirely managed by WAAD, and essentially provisions a “Service Principal”. If you look in your Azure Portal, under the Active Directory’s “applications”, you will find that it shows the service principals that have been registered in a given WAAD tenant/domain.
In the case of some other Microsoft online services, the service principals they require is provisioned for you automatically as part of obtaining a subscription (trial or paid) to those services. In the case of
System Center Advisor, since the service is free
and we don’t send you thru a subscription phase, we are essentially allowing you to create the service principal yourself.
After granting access, you’ll be taken thru the regular account creation process.
If you do decide to switch to Windows Azure Active Directory and you were already using SC Advisor with a Microsoft account, though, despair not: not only new Advisor accounts can be opened with Organizational accounts; also pre-existing accounts can be associated with an Organization after the fact. To do so you can use the ’Add Organization’ button in the ‘Account’ page of the
System Center Advisor Portal
That will take you to a similar process of logging in with a global administrator of the AD, and granting access.
Once an Advisor account is associated to an Organizational account, the global administrator account that was used to perform the association is added to the SC Advisor account in the ‘Administrator’ role.
Furthermore, the “Manage Users” window will now let you add users and groups from your AD. When compared to adding a Microsoft account to Advisor, adding an Organizational account doesn’t require an email verification flow, because our service is trusted to query your directory so we verify that way that the users and groups you pick actually exist.
You can also mix and match both Microsoft accounts and Organizational accounts, if you wish to do so. Removing all Microsoft accounts from the list will effectively disable access to anyone who doesn’t belong to your AD.
Also note that adding an account to the list twice will effectively MODIFY/EDIT the existing entry in the list, i.e. changing the account’s role from ‘User’ to ‘Administrator’ of the Advisor account.
When using groups, we recommend to not use more than two. The first reason for this is performance: looking up if you are a member of 300 groups is way slower than only checking if you are member of 2 groups. The second reason is that we only have two roles (User and Administrator), hence just two groups can be assigned – one group for each role – and it is quite an elegant way to manage your access control to Advisor. All you then have to do is to nest other groups and users from your AD in or out one of the two groups, to grant/deny access and/or change access level/role.
Last but not least, the new authentication option works seamlessly and immediately both in the
System Center Advisor Portal
as well as from the on-premises ‘attach’ template – both in the
Preview connector for Operations Manager 2012 SP1
and in the
System Center 2012 R2 Operations Manager Preview
The System Center Advisor team hopes you appreciate this improvement to the service. Let us hear your feedback!