It isn't easy being a software vendor in the Microsoft ecosystem. You build a really nice solution that extends basic Windows Server capabilities, and the product is successful. But you're always looking over your shoulder to see if Microsoft has decided to enhance their capabilities in your area. And if they have, and if there's sig nificant overlap between their product and yours, you'd better start looking at other areas to diversify into – fast. This is exactly what Microsoft is doing with Windows Azure Active Directory in the identity management as a service (IDaaS) market.
Microsoft has a long history of doing this. Commonly known as "embrace and extend" (and sometimes extinguish) or more recently "version 3", Microsoft enters a market - often later to the game than smaller, nimbler competitors - with a product that contains only basic features compared to the existing players. The product however, is low cost or no additional cost beyond existing licensing. Over time the product is improved and features added so that its low cost/benefit ratio gains a substantial market share, often forcing smaller competitors to exit the market or diversify for survival. Hyper-V is just the most recent example of this strategy.
The Emergence of the IDaaS Market
Windows Azure Active Directory fits into this mold pretty well, with an interesting twist. The identity management as a service (IDaaS) market has been around for a number of years, but has only really taken off in the last two or three years. Startups such as Symplified, Okta, OneLogin, PasswordBank, Optimal IdM, PingOne, and others have developed solid solutions and are experiencing double-digit growth because the IDaaS model solves a very big security and single-signon problem with cloud applications. Bigger players such as Salesforce and Intel entered the game more recently, as it became clear how much potential growth was available.
Microsoft had been noticeably absent from the IDaaS market. In the cloud services area, they've been focused getting their Azure platform-as-as-service (PaaS) going and then - also late to the market - an infrastructure-as-a-service (IaaS) offering. The twist in their IDaaS strategy became apparent when they first announced Azure AD a little more than a year ago. It was a new web service to the public, but - guess what? - it already had an installed base of almost 3 million users. Every Microsoft Online Services customer (such as Office 365) already had their own instance of the Azure AD service. Though Azure AD at first provided only the most basic SSO capabilities, its architect John Shewchuk made it clear they were serious about this endeavor when he said "We think that identity management as a service has the potential to profoundly alter the landscape of identity", and that the right plumbing was in place when he stated "The Windows Azure Active Directory SSO capability can be used by any application, from Microsoft or a third party running on any technology base".
Azure Active Directory's Feature Growth
This year Microsoft has steadily added capabilities to Azure AD. In April, they announced its general availability (though it had already been in production, at massive scale, for several years). In June they announced Active Authentication, Azure AD's support for multifactor authentication. In Windows Server 2012 R2, Active Directory Domain Services and AD FS have been enhanced to recognize mobile devices and perform multifactor authentication and conditional access. And last week at the Worldwide Partners Conference, Microsoft announced the Windows Azure Access Panel (Figure 1), providing SSO to popular web applications that have been preconfigured into Azure AD.
Figure 1: Example of Azure AD's Access Panel to third party web applications
The Access Panel isn't the most sophisticated application portal in the IDaaS market, and it currently offers only about 70 apps, but you can bet the Azure AD team will continue to add apps and features and refine it as quickly as possible. Unlike other Microsoft products, Azure AD doesn't have a clear advantage over its competitors. Its feature set is currently inferior to practically all the other market players.
But part of the strategy is the cost: Microsoft is basically giving it away. First, if you have an Office 365, Intune, Dynamics CRM, or Azure subscription, you already have an Azure AD tenant. If not, it isn't a problem. According to the Windows Azure Pricing Calculator, Azure AD is free for up to 500,000 accounts. The Application Enhancements Preview and its associated Access Panel is also free, and I'm pretty sure it's their intention to keep it that way. That means you will be able to get web-based SSO access to a broad range of cloud applications for the price of an Azure subscription – a sweet deal. To get enterprise SSO, you can deploy AD FS R2 as a general purpose identity bridge to connect your (single) on-premises AD forest to your Azure AD corporate tenant, and get multifactor authentication and conditional access as part of the deal.
Third Party IDaaS Still Provides the Most Complete Solutions
Let's be clear: Other IDaaS vendors can provide a huge amount of added value beyond the current AD FS / Azure AD package. Without exception, the on-premises identity bridge + cloud service architectures of mature IDaaS vendors are easier to deploy, provision, and maintain than AD FS and DirSync (provisioning application) for Microsoft's solution. Several vendors focus specifically on integrating well with complicated on-premises identity management systems. All support a far more comprehensive number of applications available in their IDaaS portal. Most sport full-featured mobile portals, and a few have strong governance capabilities. If AD FS / Azure AD doesn't meet your business, security, or compliance requirements, there's almost certainly an IDaaS vendor out there that will satisfy them. And differentiation will be the key to survival for these vendors as Microsoft moves to dominate the low-cost, basic capability IDaaS market segment. As it surely will.
As I've said before, it will be interesting to watch how the IDaaS market changes as Microsoft shoulders its way in. At the moment, it isn't a zero-sum game; the market has only recently begun growing and there's plenty of opportunity. But I'm sure Microsoft will keep growing Windows Azure Active Directory's capabilities as quickly as they can until they've built a reasonably complete, if not best-in-class, IDaaS solution. And the smart competitors will have already factored adjustments into their development cycle.