Windows Azure Active Directory Updates in 2013


​If you haven’t looked at Azure Active Directory for a while, look again: This baby’s had a growth spurt


    The Azure Active Directory product group was on a tear in 2013. In previous years, it developed this multi-tenant directory service for the cloud (based on existing AD technology), put it into production, and built do-or-die services such as Office 365 on top of it. This service grew in lockstep with the popularity of Microsoft’s online services until the growth made Azure AD the world’s largest multi-tenant directory (as of 10/2013: 1.4 million tenants with Microsoft Online Services subscriptions, 240 million user accounts, 10 billion authentication requests in a week, 430 billion total authentication requests). And the product has been in general availability for only 8 months. Since then, the team has added a substantial list of enhancements to Azure AD to support Microsoft’s Cloud OS vision, and to bring the cloud directory service into contention with other Identity as a Service (IDaaS) offerings on the market. What was added to Azure AD in 2013, and what might be coming this year? Here’s a chronology of Azure AD’s enhancements in 2013:


    Azure AD general availability. Although it was already supporting hundreds of thousands of tenants and millions of users, the service reached the general availability milestone (a murky definition for web releases).


    Application access enhancements. This enhancement provided single sign-on (SSO) capabilities for SaaS applications. This preview was Azure AD’s first clear step into the IDaaS market as a competitor to other IDaaS vendors, such as Centrify, Covisint, OneLogin, Okta, PingOne, and Symplified. Like these solutions, Azure AD gained an application access panel that presents a graphical list of SaaS applications that users can transparently sign on to. The panel began with fewer than 100 apps, but it continues to grow on a daily basis.

    Support for multi-factor authentication (MFA) public preview. With this feature, companies can enable MFA for identities in Azure AD to help secure access to Office 365, Windows Azure, Windows Intune, Dynamics CRM Online, and other apps that are integrated with Windows Azure AD. In addition, you can use the on-premises Active Directory Federation Services (AD FS) role and the Web Application Proxy feature in Windows Server 2012 R2 to create a hybrid MFA solution for both Azure AD users and on-premises Windows Server AD users.


    Improvements to application access enhancements public preview. This preview included app gallery improvements, improvements in management of password-based SSO apps, and bulk enabling or disabling of MFA for Azure AD identities.


    Create and manage multiple Azure ADs within an Azure subscription. As if AD nomenclature wasn’t confusing enough, this enhancement lets you create more than one Azure AD tenant within an Azure subscription. Why would you do this? It’s designed for lab or development scenarios, or staging to production purposes. The key word here is tenant. In my understanding of the service, there’s only one Azure AD overall—and it’s a big one. All we can touch are the tenants, which are the individual directory instances.

    Multi-factor Authentication general availability. Now a billable option, MFA is charged per user, or per authentication. In a boon for security, MFA for Azure AD administrative accounts remains free. Nice!


    Azure AD Premium public preview. Azure AD Premium is Microsoft’s first cut at charging for its IDaaS services. The Premium public preview is itself free until this feature set moves to general availability status some time in Q1. Then it will become a billable service (price TBD). The preview includes the following features:

    • Self-service password reset (SSPR) for users—Just as its name describes, SSPR allows users to reset their Azure AD account passwords without going through a Help desk. Note that at this time, SSPR is available only to Azure AD accounts.
    • Group-based provisioning and access management to SaaS apps—You can use Windows Server AD security groups, copied into Azure AD from Windows Server AD via DirSync (or via Group Management for Admins, below), to assign access to SaaS apps in bulk. For example, you can create a Salesforce Users security group in Windows Server AD and, once the group has synchronized into Azure AD, assign this group access to your Salesforce app connection.
    • Customizable access panel—You can now brand the application access panel with your company logo and colors.
    • Machine learning-based security monitoring and reports—This Premium feature promises advanced reporting, including anomalies and inconsistent access patterns, logons by users who logged on from unknown sources, logons that occurred after multiple failures, and logons from multiple geographies in short timespans. It will be interesting to see how these reporting capabilities stack up against those of other reporting tools, and how they evolve over time.

    I’m not sure it’s being explicitly branded as such, but Azure AD Basic is essentially all the free features not included in Premium. Microsoft has emphasized that the Premium offering features will continue to grow as the product evolves.

    Application access enhancements general availability. These changes were moved to general availability status.

    Enhancements to creating and managing multiple Azure AD directories within a subscription. This enhancement includes improvements such as the ability to easily rename a directory and add users to a new directory from an existing directory.

    Public-facing App Gallery site. This update allows potential customers of the Azure AD as an IDaaS service (i.e., not just an Office 365 foundation) to “window shop” the SaaS apps that the service supports without signing up for a subscription.

    Enhancements in the GraphAPI. The GraphAPI is the RESTful interface to Azure AD that developers use to extract data from it, and to explore the relationships between the data. It’s analogous to using LDAP to query Windows Server AD.


    Group management for admins public preview. This feature allows admins to perform create/read/update/delete (CRUD) operations on security groups directly in Azure AD. You can only assign groups to SaaS applications, however, if you are subscribed to Azure AD Premium,

    Custom branding support public preview. This feature allows you to create a branded sign-in page. Like the customizable Access Panel, this will be part of the Premium offering when it achieves general availability.

    Open-sourcing Azure AD developer libraries. Microsoft is making the Active Directory Authentication Libraries (ADAL) available on as open-source libraries.

    And Beyond …

    What’s coming in the future? You can expect greater integration between on-premises Windows Server AD and Azure AD, such as providing SSPR for Windows Server AD via Azure AD. This and other on-premises/cloud-integration capabilities will require a more complex two-way identity flow within the hybrid Windows Server AD/Azure AD identity infrastructure, not just one way from Windows Server AD to Azure AD. Using AD terminology, this means that either Windows Server AD or Azure AD will be able to perform originating writes to the overall hybrid directory of Windows Server AD + Azure AD. These updates will then replicate throughout the hybrid identity infrastructure.

    If 2013 is any indication, Azure AD will continue to advance strongly in 2014. The cloud directory had a lot of catching up to do compared with its mature Windows Server AD partner’s capabilities, and it has definitely closed the gap. But to be clear, I believe Microsoft has no intention of giving Azure AD feature parity with Windows Server AD. Rather, it’s building out Azure AD to be a full partner with Windows Server AD to create a hybrid identity infrastructure that supports a hybrid enterprise. The two-way Windows Server AD/Azure AD replication I described above would be just one of these supporting changes.



Category: News
Published: 1/21/2014 14:34

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.