First published on CloudBlogs on Oct, 14 2014
Throughout this series
I’ve written quite a bit about
and its pivotal role in any enterprise mobility strategy. While I don’t want to be too repetitious on this topic, I do think it’s important to continually emphasize its ongoing value.
Any strategy that attempts to enable device usage anywhere with any platform has to give you the tools to set policies about how corporate data is accessed and used. This seemingly simple (but incredibly difficult) process is all based on your infrastructure’s ability to identify the individuals and devices accessing your network. Identity management helps keep your data in the right hands at the right times.
As enterprises continue to consume more and more SaaS offerings (the workforce in an average enterprise uses more than 300 SaaS apps!), IT has to
take an active position
when it comes to extending identity management to each of these SaaS apps. Today the majority of SaaS apps that are being used are completely unmanaged by IT – and this puts corporate reputation and assets at risk.
When we look at the
big trends and challenges
the IT industry is facing, identity management is the key element at play in all of them. For example: The device-based consumerization of IT would be impossible if we couldn’t quickly and easily verify and manage a user’s identity
their devices. A move to a cloud-based or
IT infrastructure would be impossible if there wasn’t a way to manage access, and compounding that problem, all your carefully gathered data would be worthless if there wasn’t a simple way to identify who should (and should not) be able to access it.
Identity management is an area where Microsoft excels because it is a big part of our
DNA as a company
. Today, over 90% of businesses around the world (and 95% of the Fortune 1000) use Active Directory for their identity management. We have spent millions of person-hours building and fine tuning software that enables enterprises to expand their on-prem investments to the cloud – and now we have
optimized our solutions for device management
Azure Active Directory
(you can read about AAD in depth
Whenever I get the opportunity to look at the scale and usage of Azure Active Directory I am really impressed. AAD is the premiere Enterprise Identity solution that’s delivered as cloud service. To give you an idea of its scale and power, it is servicing up to 18 billion authentication requests every day. There are 4 million organizations using AAD to manage access to their Microsoft Enterprise services (
Azure, Office 365, EMS, etc.) and it is time to extend AAD’s trusted, reliable functionality to all of the SaaS apps your organization uses.
Considering the massive install base of AD, it is safe to say that the industry would prefer not to reinvent the wheel or manually recreate all of their identities in the cloud. The good news is that this kind of reinvention is unnecessary since this is exactly what Azure Active Directory (AAD) provides in a secure and comprehensive way. AAD combines directory services, advanced identity governance, application access management, and a developer’s identity management platform. Impressive, right?
Using Azure Active Directory to Set Your Organization Apart
When building your enterprise mobility solution, you want it to deliver a small handful of critical things that I believe you should list as requirements around identity:
Integration into your existing infrastructure.
Easy syncing of your internal AD identities with 3rd party SaaS apps –
bring them under common management.
Easy syncing with your on-prem directories (aka Active Directory).
Self-service capabilities like password reset, group management, user profile, management, etc.
These areas are where Azure Active Directory
shines – especially the AAD Premium capabilities that are a part of the Enterprise Mobility Suite.
earlier in this series
, one of the key benefits AD has been providing for years is centralized identity management and access control across the enterprise + a great SSO experience for the end-users consuming enterprise services. Now, as organizations use more and more SaaS offerings (
salesforce.com, Office 365, Workday, etc.), a centralized identity management solution is more important than ever. A centralized identity management solution is critical if you want to manage SaaS apps, protect that information from being stored and accessed in those SaaS apps, and provide a SSO experience to end users.
One possible way to deliver this kind of functionality is to federate each user with each and every cloud-based app. The challenge, however, is that not all apps use the same protocols or standards when it comes to identity management. This can make federation a very complex and costly operation. What organizations
need is a hub that can do
six key things
Connect SaaS identities with their on-prem Active Directory users.
Seamlessly connect with a variety of cloud applications.
Integrate with various web protocols.
Scale around the globe to authenticate users in any location, from any device, in a way that integrates simply with their existing identities.
Provide SSO to all these apps for users.
And you do
want to have to do all this integration yourself. That’s why we do it for you.
the most common scenarios that organizations of all sizes will face as they manage identities in the public cloud:
Many applications, one identity repository.
Managing identities and access to cloud applications.
Monitoring and protecting access to enterprise applications.
Personalizing access and self-service capabilities.
You need to insist that your mobility partners/vendors provide comprehensive solutions for these four scenarios – and that solution needs to seamlessly connect to the on-prem work where you’ve already invested.
These four areas are places where, I’m proud to say, AAD can
consistently deliver at enterprise grade
Sync & Federation with AAD
AAD allows you to sync with the on-prem
Windows Server Active Directory
using DirSync combined with either
Active Directory Federation Services
(ADFS), or, alternatively, with
password hash sync
. This setup helps to configure SSO and, to make SSO even easier, the most popular cloud apps are already pre-integrated in the application gallery – no matter what kind of public cloud is doing the hosting.
This kind of integration goes way beyond simple compatibility
. Remember that, in every scenario, you are in complete control of what is synchronized from AD into AAD. Our services (like Office 365 and the Enterprise Mobility Suite) only need to have the users’ identity and four attributes in AAD. The users’ password is not one of those attributes, thus you can keep all the passwords in your local ID if you so choose
We have already done the work to integrate more than 2,400 of the most popular SaaS apps with AAD, and this fully enables the scenarios described above. We’ve also preconfigured all the parameters needed to federate with these clouds so that an administrator can select the cloud applications their enterprise is already using and configure SSO accordingly. With your identities and apps under control, the
Azure Management portal
allows for super-efficient management with a section specifically for AAD administration that allows you to take your custom LOB apps (or the ones you’ve bought from a vendor) and enable them for SSO.
Dollars and Cents: The Value of Cloud-based Identity Management
Once you’re operating your identity management solution from the cloud, your ability to manage a growing number of users and SaaS apps from the
console with the
processes becomes an invaluable advantage.
Access isn’t the only element that benefits from a top-tier identity management solution, however. Your ability to govern the creation, publishing, and usage of SaaS apps (which can be used via single sign-on) is a huge productivity booster for both you and your end users.
There’s not an IT team in the world that goes more than a few minutes without thinking about security – and this is something we think a lot about, too. This is why AAD is based on
Trustworthy Computing principals
and security is a foundational part of its architecture. I recommend reading that site’s information about just how secure that data is. It is really impressive stuff.
This is all delivered through
Azure Active Directory Premium
(a component of the Enterprise Mobility Suite) and it is an incredibly high quality foundation for any Enterprise Mobility strategy.
When it comes down to
authentication and control of corporate resources
, not only should your Enterprise Mobility identity solution require the user to correctly authenticate, but that identity solution should also know about all the devices being used to access corporate resources. This is exactly what Domain Join has done for Windows devices over the past 15 years. In our Enterprise Mobility solution we have added what you can think of as a modern Domain Join – what we call
. Workplace join enables users to
register their personal devices
with AAD which allows IT to express policy on both the user and the device.
The “Managed Everything” Model
I previously wrote about the
“Managed Everything” approach
to infrastructure, and identity plays a crucial role here. Simply put, too many IT teams are saddled with one set of tools for PC management, another set for device management, yet another for server-based computing scenarios, and then something else for identity management.
Common? Yes. Smart? No.
This approach makes a lack of integration/interoperability and compromised agility a foundational part of your infrastructure, and it guarantees a fragmented experience that is more expensive and more difficult to operate.
, start with a solution that can manage identity no matter where the person or their hardware travels, and then build around this carefully managed structure.
To get a lot of additional information about Microsoft’s cloud-based identity management solutions, check out this very helpful
Hybrid Identity Management