I recently had the chance to talk with Brad Anderson, Microsoft's corporate vice president for Windows Server & System Center, in advance of his post last Friday about the role identity plays in the company’s Cloud OS architecture and its identity strategy in general. Anderson has been posting regularly about the various components of Cloud OS in his blog In The Cloud, including its pillar of People Centric IT (PCIT), but Identity Management for Hybrid IT is the first blog post that has focused solely on this critical component.
Anderson underlined the strategic importance of Microsoft’s identity platform to support its four key investment areas: consumerization of IT, the move to the cloud, the explosion of data, and new application development models influenced by the cloud. "Identity underlies every one of these trends. Identity is key to everything. In the consumerization of IT scenario, you must be able to understand who the user is and what device [he or she is] working on—and that's all based on identity. Controlling access to the explosion of data is based on identity. And identity is fundamental to cloud computing and applications."
In the almost 3,000-word blog post, Anderson and key product managers from the Active Directory team laid out a fairly comprehensive overview of AD as it fits into Microsoft’s Cloud OS future. And there are now two AD components: the original on-premises AD (now being referred to as Windows Server AD), and Windows Azure AD in the Azure public cloud service. This clarification is necessary because, as in any hybrid computing architecture, there are many ways you can move the building blocks (such as identity) around. You can have a traditional on-premises Windows Server AD, which is a scenario represented by hundreds of thousands of companies around the world. You can create a Windows Server AD domain controller (DC) as a virtual machine (VM) in the public cloud (or move it there) for an on-premises domain. You could also flip that scenario on its head and create a Windows Server AD domain in the public cloud composed of virtual DCs, and have one or two of its DCs on premises. Finally, you can add Azure AD into the mix to extend your on-premises identity into the Azure cloud.
Shedding More Light on Azure Active Directory
Much of the post is devoted to clearing up the confusion of Azure AD and its relationship to Windows Server AD. This approach is understandable, as Azure AD has been growing up under most people’s radar; now it’s standing right there in front of you. Is Azure AD “just like” Windows Server AD? Is Windows Server AD now obsolete? Are companies supposed to ship their identities wholesale up to the cloud and decommission their DCs? The answer to all three questions is “no.” Azure AD is designed to complement or extend your current identity architecture—not supplant it. If you eventually decide to move your company entirely “to the cloud” and are using Azure AD as your cloud identity store, that directory would become your primary identity directory. But I expect few companies will be jumping in this direction any time soon.
Anderson takes great pains to point out how reliable and scalable this directory service is:
- Azure AD hosts 420,000 domains that customers have uploaded data into. (I presume this is excluding the many "kick-the-tires" test domains that trial users have created.)
- It has performed 265 billion authentication requests since the service came online. (That's a heck of a large security log.)
- It performs approximately 8,000 authentication requests per second (The post says 9,000, but 1,000,000/120 = 8,333, which makes it a marketing, rather than an engineering, rounding. But hey, it’s still a lot.)
If you use a Microsoft online service such as Office 365, you’ll be using Azure AD whether you realize it or not. Because Microsoft online services depend on Azure AD, if you use any of them you’ll have your own directory, or tenant, within the Azure AD service. Note that Azure AD is far from the only choice for extending your company’s identities to the cloud; there are at least eight other solutions in the Identity Management as a Service (IDaaS) market, and most of them are more fully featured than Azure AD. Anderson said “the price is right” for the directory service because there’s no licensing cost to having an Azure AD tenant. On the cloud side, Microsoft continues to build up Azure AD capabilities on a regular basis. The debate over the success of Office 365 versus Google Apps continues, but from Microsoft's viewpoint Office 365 is a great success. According to Anderson, Office 365 is the fastest-growing business in the history of Microsoft and the fastest business to reach $1 billion in sales.
New On-Premises Identity Capabilities in Windows Server 2012 R2
Finally, the blog post outlines the various ways you can connect your Windows Server AD domains to your Azure AD tenant. At a minimum, this requires getting identities into the tenant and then authenticating to the tenant using these identities. These two capabilities—provisioning and authenticating—are a part of any cloud service, but the devil’s in the details. How deeply you integrate your on-premises identity with your cloud services will have a major impact on security and ease of use. This handy slide gives more detail about Windows Server AD/Office 365 (really Azure AD) integration options.
Windows Server AD improvements in Server 2012 R2 are focused on expanding Microsoft's presence and capabilities in the world outside of the traditional enterprise. Windows Server AD is a sturdy base to jump off from, but most of the heavy lifting in new Server 2012 R2 identity capabilities is taking place in the cloud and in the connectors to cloud (Active Directory Federation Services—AD FS) and mobile devices (Web Application Proxy). Microsoft's solution to providing secure and conditional access to corporate resources on user-owned devices, aka Bring Your Own Device (BYOD), is Workplace Join. Essentially a "domain join lite," Workplace Join makes the user authenticate to AD on his or her device. A much-updated AD FS and the new Web Application Proxy role handle the join process and install a certificate on the device. Once the device becomes trusted in AD (though not with the same degree of trust as a domain join), the user can take advantage of this status by using the device to provide multifactor authentication (using technology from the acquisition of PhoneFactor). This architecture also provides for conditional authorization, which controls access to corporate resources depending on the device being used, what network the device is on, and what resource the device is attempting to access. Uday Hegde’s post dives into more detail on these new capabilities.
Azure Active Directory Is Just Getting Started
Coincident with the Server 2012 R2 wave, Microsoft has launched a couple of significant previews for Azure AD. The first is Active Authentication, which provides multi-factor authentication to Azure AD logons and thus applications. The second is the Access Panel, which provides SSO access to third-party SaaS applications. As I've recently pointed out, the Azure AD Access Panel is Microsoft's first serious foray into the rapidly growing IDaaS market. And it's just the beginning. Anderson said that Microsoft absolutely plans to grow Azure AD's presence in the IDaaS market. "When Windows 2000 came out, we wanted Active Directory to be the authoritative source for all your applications . . . you want that same thing in the cloud. The same team that builds Active Directory (Domain Services) builds Azure AD, and so they'll make it seamless to use these together . . . that's what organizations are expecting us to do." He also addressed the maturing of AD FS, its critical role in tying Windows Server AD and Azure AD together, and its relative complexity: “In the R2 release, the most important thing we focused on was simplifying the deployment of AD FS."
Microsoft continues to aggressively build out its hybrid identity infrastructure. All the major pieces are in place; what’s missing is support for identity standards such as OpenID Connect for authentication and System for Cross-Domain Identity Management (SCIM) for provisioning, and some features (such as a broader range of supported third-party SaaS apps). What’s required to implement a Microsoft-only solution is a lot of integration work. And in this area lies the strength of many third-party IDaaS solutions.