There’s been a lot of confusion about Windows Azure Active Directory since it was unveiled to the public last year, though it has been running at scale for a while. Over the next few months, I’m going to cover the various combinations of Azure Active Directory and Windows Server Active Directory that you can use to support your company, and talk about the scenarios in which you might want to use them. Because Windows Azure Active Directory is a building block that’s key to these architectures, it’s important to give you a sense of what Azure AD is and what it isn’t. How is Azure AD like Windows Server AD, and where is it different?
Windows Azure Active Directory Really Is “AD in the Cloud” . . . Sort of
Windows Server AD, specifically Active Directory Domain Services (AD DS), provides authentication and authorization (access control) to applications, file services, printers, and other on-premises resources. It uses protocols such as Kerberos for authentication and LDAP for resource discovery. But AD DS, known to the world as just Active Directory (AD), wasn’t designed to natively handle the world of web-based Internet services.
Like AD DS, Windows Azure Active Directory also provides authentication and authorization to applications. Unlike AD DS, however, Azure AD was specifically designed to support web-based services that use RESTful interfaces–services such as Salesforce.com, Concur, Google Apps, and. Also unlike AD DS, it uses an entirely different set of protocols that work with these services–protocols such as SAML and OAuth 2.0. But at a high level, you could say that Azure AD really is an “AD service in the cloud” for cloud-based applications, as Figure 1 shows.
Azure AD is not, however, simply an implementation of AD DS in Windows Azure. Far from it. Although the high-level functions of authentication, authorization, directory query, and user or group management are all there (and expanding on a monthly basis), the details of how these are accomplished are very different from AD DS. Azure AD is a gargantuan multi-tenant service that is the identity and access management (IAM) system underpinning all of Windows Azure, including Microsoft Online Services (MOS). The copy of Azure AD you can see and manage (your tenant) is a teeny little instantiation of a much larger whole, as Figure 2 shows.
In addition to providing authentication and authorization for Microsoft Online Services and other Azure subscriptions, Azure AD has connected hundreds of SaaS applications to its service to provide single sign-on (SSO), either through federation for applications that support it or through password vaulting and form-based authentication for those that don’t. In contrast, you must use AD DS + AD FS on premises, then set up each connection yourself (and only for apps that support federation).
Because it doesn’t exist in an identity void (the vast majority of enterprise user accounts are on premises in an AD DS forest), Azure AD supports the connection of a tenant (your Azure AD forest) to these on-premises forests via an identity bridge. Microsoft’s bridges are AD FS plus the Windows Azure Active Directory Synchronization tool (wisely shortened to “DirSync”) or the Windows Azure AD connector for FIM 2010 for more complicated on-premises AD scenarios. There are also several excellent third-party bridges that can accomplish this task, often more simply and with more capabilities than the Microsoft apps.
Why would you want to pay attention to Azure AD? Why should you squeeze one more bit of learning and skills into your already full-to-the-brim day? First, if you use any of the Microsoft Online Services, such as Office 365, Exchange Online, or Windows InTune, the accounts you manage for these services are in Azure AD. So you’d better know how to use it.
Second, if you’re considering using Identity as a Service (IDaaS)–and if you aren’t, you should–Azure AD is a new but rapidly growing contender in this market. It’s quite clear that Microsoft aims to be competitive. It’s important to note that many of these other IDaaS solutions provide excellent capabilities.
Finally, you should be conversant with Azure AD for one simple reason: It is the identity infrastructure of Microsoft’s future. I’ll dive into this a little more deeply next month.
For more information about Azure AD, Channel 9 has several videos, cartoon style, that describe its fundamental concepts. Some are a little dated, but only because the product’s capabilities are evolving so rapidly. MSDN has technical documentation as well.