Yesterday, Microsoft announced general availability on April 2nd of Microsoft Azure Active Directory Premium, an advanced offering that includes identity and access management (IAM) capabilities for on-premises, hybrid, and cloud environments. This new Premium offering is a collection of features for Microsoft's identity management as a service (IDaaS) platform - the identity backbone for all Microsoft Online Service products - that takes a large step towards making it a viable cloud partner to Windows Server Active Directory.
Azure AD Premium is a part of the Microsoft Enterprise Mobility Suite (EMS), first mentioned by Mary Jo Foley yesterday. EMS includes Windows Intune, Azure Active Directory Premium and Azure Rights Management Services. Azure AD Premium is targeted towards the enterprise, and as such will only be available as an add-on to an Enterprise Agreement (EA). In addition to its new features, the offering guarantees a 99.9% SLA.
Why would you want Azure AD Premium? How might it be useful to you? In keeping with Microsoft's scenario-driven product design, the Azure AD Premium feature set was developed to support four scenarios: Your directory in the cloud, centrally managed identities and access, monitoring and protect access to cloud applications, and empower end users. Let's take a look at each of these scenarios in a bit more detail.
Your directory in the cloud
The “Your directory in the cloud” scenario focuses on integrating your on-premises Active Directory forest with Azure AD. This hybrid identity environment is created by two mechanisms, federation and identity provisioning, which together comprise an identity bridge. Federation using Microsoft’s Active Directory Federation Services (AD FS) allows Azure AD to pass authentication requests from service providers (such as Office 365 or Salesforce.com) back to your on-premises AD to provide a single sign-on experience to SaaS applications for your users.
In the Microsoft world, provisioning user identities from on-premises AD forests into Azure AD is currently handled by directory synchronization, or DirSync. The DirSync service has a number of limitations, such as only being able to synchronize with a single Windows Server AD forest. As a result, DirSync remains a blocking factor for the (many) enterprises with multiple account forests wishing to use AD FS and DirSync. In a smart move, the Premium version will provide usage rights to Forefront Identity Manager 2010 R2 (FIM) and client access licenses (CALs) to support more complex identity synchronization scenarios. FIM 2010 R2 is not aware of Azure AD Premium features, however. This is an excellent example of how on-premises software, with infrequent updates, falls out of integration with often-updated web services.
Figure 1: The Microsoft identity bridge: AD FS and DirSync
Also included in this scenario is Azure AD’s role as an identity broker for SaaS applications. This is the classic IDaaS use case, where Azure AD users (and through the above federation / synchronization, on-premises AD users) have single sign on access to 1200+ SaaS apps already integrated into the cloud identity service. The Azure AD team is reportedly adding up to 50 new applications every day. That’s some developer resources, folks.
Centrally managed identities and access
This scenario is about managing identities, users, groups, and access to applications though a central Azure AD management console. This also includes the capability to provision and de-provision users to a small subset of standards-supporting apps such as Box, Office 365, and Google Apps. For other apps you must create (i.e. provision) the user account in the app, then connect the Azure AD user to the app. This lack of easily-configured apps isn’t Microsoft’s fault. Rather, it points out precisely why service provider adoption of the SCIM provisioning standard is so important. Once standardized, the number of apps that IDaaS providers like Azure AD can automatically provision to will skyrocket. I expect capabilities in this scenario to continue expanding over the next few months.
Monitor and protect access to cloud applications
This scenario describes security reporting in the Azure AD base (free) and Premium offerings to track inconsistent access patterns, perform analysis on the patterns and generate alerts. The base offering has reports for
- Sign ins from unknown sources
- Sign ins after multiple failures
- Sign ins from multiple geographies
The Premium offering adds reports for
- Sign ins from IP address with suspicious activity
- Irregular sign in activity
- Users with anomalous sign in activity
- Which users are most actively using an application
- What devices a user has signed in from
Premium also offers email notification of anomalous behavior to Azure AD administrators. You can find out more about these reports in Azure AD’s director of program management Alex Simon’s Monday blog post.
This scenario also includes Azure multi-factor authentication (MFA) as a possible step-up action when suspicious activity is detected. This feature is broader in scope than MFA for Office 365 (Figure 2); remember that Office 365 is just one service that Azure supports. The broader Azure MFA feature provides MFA capabilities for any service that Azure AD supports, including access to SaaS apps. Azure MFA also has an optional on-premises component, MFA Server, which extends MFA to a variety of on-premises applications such as VPN, AD FS, Exchange / OWA, IIS web applications, and terminal services. Channel 9 has a 6 minute video overview of MFA and how it work both on premises and in Azure AD.
Figure 2: Azure MFA vs. MFA for Office 365
Empower end users
The final scenario, “Empower end users”, is about making all these services easy to use. Several features support this scenario. First, Azure AD now supports the ability to have a company branded, personalized application access panel at the standard URL http://myapps.microsoft.com. Figure 3 shows the sign in screen for one of my Azure AD directories; note the logo. (This was a quick and dirty test that took about one minute from logo creation to branding upload; it’s very easy.)
Figure 3: Customized Azure Active Directory User Portal
This portal is mobile browser friendly, but Microsoft is also building mobile apps. The first, the “My Apps – Windows Azure Active Directory” iOS app was announced earlier in the month. Figure 4 shows the access panel on iPad, with one SaaS app installed:
Figure 4: AAD Access Panel with one SaaS App
The My Apps portal also allows you to manage your own account, configure MFA information (such as phone numbers or email addresses), and perform delegated group management for cloud users. It also provides the ability for users to perform self-service password reset (SSPR), though this capability is currently only able to reset Azure AD accounts only. When a writeback capability (updated Azure AD attributes will replicate to on-premises Windows Server AD, not just from on-premises to cloud) is soon available, this feature will be a boon to many enterprise help desks.
My thoughts on Azure AD Premium
First, if you have any interest in Azure AD Premium (and if you didn't, you probably wouldn't have read this far), I strongly recommend you join the preview and enable the individual features before the GA date of April 2nd. Why? Because Premium preview members will get a 90-day grace period to kick the tires of this expanded feature set. After April 2nd, you must have an EA agreement and pay a subscription fee to access this offering. To enable the Azure Active Directory Premium preview, navigate to the Windows Azure Preview Feature page and add “Windows Azure Active Directory Premium” to your subscription by clicking "Try it now." Then, sign in to the Windows Azure Management Portal at https://manage.windowsazure.com, open your directory, and on the Configure tab, set Premium Features to Enabled.
Though Azure Active Directory Premium has a bunch of useful features, it’s not endangering Windows Server AD; rather, Azure AD is a complement to it. Azure AD still mostly stays out of on-premises authentication and authorization (MFA Server is the sole exception). Also, don’t look for feature parity between Windows Server AD and Azure AD. Though Windows Server AD and Azure AD have similar purposes at a high level, the applications they support are very different. Unlike Windows Server AD, Azure AD supports web services rather than complex, multi-tiered on-premises applications. In other words, don’t look for Kerberos constrained delegation in Azure AD any time soon.
User and group management in Azure AD have taken big steps forward, but still doesn’t have nearly the power and flexibility of delegation in the mature Windows Server AD product and its comprehensive ecosystem of ISV products.
The inclusion of FIM 2010 R2 and associated CALs will attract a number of companies to subscribe to Azure AD Premium that have wanted FIM but couldn’t afford it.
Self-service password reset, as announced today to act only on Azure AD accounts, has limited functionality. When writeback to Windows Server Active Directory (scheduled to go into preview in April) is available, SSPR becomes a big deal. SSPR, with writeback, enables a user to reset their enterprise password from wherever they are via a web browser, and could take a big bite out of the delegated password management tools market. It’s very important architecturally as well; for the first time, Azure AD will be on an equal footing with on-premises Windows Server AD for directory data. You will be able to write changes to Active Directory anywhere, whether on premises or in the cloud. This is a milestone in Microsoft’s hybrid identity strategy.
Finally, Microsoft is continuing to charge forward with enhancing Azure Active Directory. As a result, it is quickly expanding its credibility in the IDaaS market. By tying Azure AD Premium into EA agreements and throwing in some desirable capabilities like MFA and FIM with the deal, Microsoft is leveraging their dominance in the enterprise to make this new offering even more attractive. I have no doubt that the pace of announcements around its cloud identity platform will not abate in the near future, so stay tuned for more updates.