Windows Azure Active Directory: The Giant Slowly Awakens

Windows Azure Active Directory: The Giant Slowly Awakens

Windows Azure Active Directory isn’t like other IDaaS offerings...yet.

Last week, Microsoft announced that Windows Azure Active Directory has been released for general availability. This means it’s now officially ready for production. In the web services world, this doesn’t mean a whole lot; we all used Gmail for years with the “beta” tag attached and pretty much ignored it. This also very true in Azure AD’s case. With the GA release, Azure AD now has the ability to add an AD instance (a “tenant”) to your Azure subscription if you login with a Microsoft (formerly known as Live) account, and granting and revoking application directory access permissions has been simplified.

Windows Azure AD is architecturally similar to other identity management as a service (IDaaS) vendors such as Symplified, Okta, OneLogin, Salesforce, PasswordBank, Ping Identity, and others in a rapidly growing expanding market. However, what makes Windows Azure AD confusing for the average customer to understand is that its offerings and primary use case are currently very different than its other market competitors – in some ways just the opposite.

Windows Azure AD’s Strength

The vast majority of current IDaaS vendors are cloud-based directory services that focus on giving single sign-on access to other cloud-based web service providers (e.g. SaaS) for businesses that have their own on-premises Active Directory as their primary identity provider. They do this through a collection of federated trusts they establish to service providers that support federation, and a technique called password vaulting for those that don’t. In contrast, Windows Azure AD provides services mainly to allow customers, as established identity providers, access to Microsoft’s own services like Office 365, Dynamics CRM online, Windows Intune (all SaaS apps built on the Azure PaaS platform), and of course Azure itself. And this intra-Microsoft directory access is ginormous: As noted in the Windows Azure blog, over 2.9 million businesses, governments, and schools are using it to manage access to Microsoft Online products. Over a 90-day period ending April 8th, Windows Azure AD processed 65 billion authentication requests at 99.97% availability.

Azure AD’s market strength lies in its installed base. If you’ve ever used Microsoft online business services, you already have a Windows Azure AD tenant. This has to be one of the greatest customer-acquisition strategies in software history. And if you don’t have your own Azure AD tenant, you can get your own for free. This means you’re one of more than 2,899,999 other tenants supported by what is surely the largest über-directory service the world has ever seen.

Yeah, I think the GA announcement is kind of an anticlimax.

Windows Azure AD’s Weakness

Windows Azure AD does have a couple of weaknesses compared to its IDaaS rivals. First, if you want to use Azure AD to provide simplified access to non-Microsoft cloud service providers like the others do, you must set up and maintain all the federated trusts yourself. And if the service provider doesn’t support federation, you must write your own password banking capability or you’re out of luck. So Azure AD isn’t currently competitive in the main service area most IDaaS providers focus on, and as such don’t even register on customer’s radar when they’re looking at IDaaS vendors.

Second, other IDaaS vendors provide you with a very simple way to connect your on-premises AD to their service, such as an agent residing on a server or a virtual or physical appliance you install on premises and perform a simple configuration routine upon. To connect your local AD to Azure AD, you must set up a federated trust with Microsoft Online Services using a federation service such as Active Directory Federation Services or a limited number of third party federation products. Then you must set up directory synchronization to replicate accounts from local AD to Azure AD. It’s not rocket science, but it’s more complicated than the agent / appliance route.

What’s Coming

Anyone that’s spent any time around Microsoft knows that you never count them out when they enter a market later than most. Tell me if you’ve heard this before: Build a basic technology, based on sound architecture. The technology may be lacking in features, but it has good bones. Make it free, or at least included at no extra cost if you license (in the new paradigm, subscribe to) the latest version of their larger product. Then begin adding features onto these bare bones, release by release, until it’s competitive with the rest of the market.

Sounds like Hyper-V, doesn’t it?

So pay attention to Windows Azure Active Directory. I’m sure the rest of the IDaaS market is looking over their shoulder at this slowly emerging behemoth. I’m also sure John Shewchuk and his team are working hard to incorporate competitive IDaaS capabilities into their hulking baby. And when each new capability becomes available, almost 3 million customers will have one more reason to consider Azure AD for their cloud identity management solution.

Sean writes about cloud identity, Microsoft hybrid identity, and whatever else he finds interesting at his blog on Enterprise Identity and on Twitter at @shorinsean.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.