Microsoft recently announced the general availability of Windows Azure Active Directory, a cloud-based service...
that lets admins manage multiple user identities and access. Although it's been lurking in the background of other Microsoft products for some time -- and still requires work to make it a fully useful tool -- it's a step in the right direction.
At its core, Windows Azure Active Directory is essentially a copy of Active Directory held in the cloud that provides basic authorization and authentication when users access cloud services. Ideally, admins use it to centralize the database of authorized users for cloud services, which then lets them authorize employees and contractors to work in certain applications. This allowance includes both Microsoft and third-party applications that accept authentication through common industry standards.
Through synchronization with an on-premises Active Directory deployment, you can also deploy single sign-on, so users don't have to remember multiple passwords or enter them more than once to access cloud applications. More importantly, it provides a better way to remove access to cloud services for users who have left the company -- a previous weak link in the cloud identity management story.
Windows Azure Active Directory: Not exactly new
True to Microsoft's history of dogfooding its own products, Windows Azure Active Directory had been in use for nearly a year before its current general release. Few actually knew that all Office 365 accounts have been using a preview release of Windows Azure Active Directory for some time. Users of the general Windows Azure service, Dynamics CRM and Windows Intune also have their details stored in private Windows Azure Active Directory accounts.
According to Microsoft, since just after the beginning of the 2013 calendar year, "Windows Azure AD has processed over 65 billion authentication requests while maintaining 99.97% or better monthly availability." Windows Azure Active Directory is a distributed service running across 14 of Microsoft's data centers all over the globe.
User interface improvements
One improvement that happened between the preview release of Windows Azure Active Directory and the Web version release is the user interface, which was basically nonexistent before. Now you can access a clean section of the modern-looking Windows Azure control panel to create and manage instances of Windows Azure Active Directory (Figure 1).
You can add these instances to your Windows Azure subscription by logging into your Microsoft account, which works across all Microsoft services. This will grant management access to members of the directory who use their own Microsoft accounts or individual private Windows Azure Active Directory access IDs.
Components of Windows Azure AD
Objects in any given instance of Windows Azure Active Directory can belong to one of the following types:
- Users: Includes information on people, passwords, the security policies for those passwords and other information;
- Groups: Security groups and distribution groups, like those you're accustomed to with on-premises Active Directory;
- Role memberships: Information about which users belong to which roles. Only users can be members of roles;
- Service Principals: Any object used to access objects in the directory -- computers, devices or anything else that is not a specific user;
- Domains: A list of DNS domains connected to your cloud directory or Office 365 instance;
- Microsoft service-specific information: Subscription lists, licenses and service levels -- these pieces don't have a direct link to relevant administrative tasks and are included in the directory for Microsoft's internal use.
Installing ADFS to synchronize directories
To fully connect a Windows Azure Active Directory instance to your on-premises Active Directory installation, you need to install Active Directory Federation Services (ADFS) 2.0 on your corporate network. ADFS sits in the middle of the transaction path between the AD cloud instance and your on-premises network; it is the trust-point for credentials. The Windows Azure Active Directory instance connects to this local ADFSv2 instance and directly communicates with it.
The first time you connect your on-premises ADFSv2 instance to Windows Azure Active Directory, a tool called Directory Synchronization (DirSync) runs. DirSync makes a copy of your local directory and then propagates itself to the cloud tenant AD instance. After that, DirSync runs every three hours to push changes from the on-premises directory to the cloud instance.
DirSync only goes from on-premises to cloud. If you were to create a new user on your Windows Azure Active Directory tenant, that user would live only in the cloud and would never be propagated down to the on-premises directory.
Given the push toward cloud computing, it was high time that Microsoft made something available to help admins understand identities that exist in multiple places for multiple services. Even though it's frustratingly limited in its current incarnation, Windows Azure Active Directory is a great first step. As a cloud service, it will likely be improved rapidly in the weeks to come.
About the author
Jonathan Hassell is an author, consultant and speaker on a variety of IT topics. His published works include RADIUS, Hardening Windows, Using Microsoft Windows Small Business Server 2003 and Learning Windows Server 2003. Jonathan also speaks worldwide on topics ranging from networking and security to Windows administration. He is president of 82 Ventures, based in North Carolina, and is currently an editor for Apress, a publishing company that specializes in books for programmers and IT professionals.