Microsoft has unveiled details and its strategy around Active Directory for the cloud. The company said changes to the current concepts around identity management need a "reset" to handle the "social enterprise." Microsoft adds it is "reimagining" how its Windows Azure Active Directory (WAAD) service helps developers create apps that connect the directory to SaaS apps and cloud platforms, corporate customers and social networks.
Windows Azure Active Directory (WAAD)has shown itself to be an identity and access management service for both Microsoft Office 365 and Windows Azure-based applications.
Microsoft has been working to enhance Windows Azure Active Directory by adding new, Internet-focused connectivity, mobility, and collaboration capabilities that offer value to applications running anywhere and on any platform. This includes applications running on mobile devices like iPhone, cloud platforms like Amazon Web Services, and technologies like Java.
The easiest way to think about Windows Azure Active Directory is that Microsoft is enabling an organization's Active Directory to operate in the cloud. Just like the Active Directory feature in the Windows Server operating system that operates within an organization, the Active Directory service that is available through Windows Azure is an organization's Active Directory.
"Because it is your organization?s directory, you decide who your users are, what information you keep in your directory, who can use the information and manage it, and what applications are allowed to access that information. And if you already have on-premises Active Directory, this isn?t an additional, separate copy of your directory that you have to manage independently; it is the same directory you already own that has been extended to the cloud," Kim Cameron, a distinguished engineer working on identity at Microsoft, said on his blog.
Microsoft promises to keep Active Directory running in the cloud with high scale, high availability, and integrated disaster recovery, while respecting requirements for the privacy and security of your information.
Today Microsoft Office 365, Microsoft Dynamics CRM, Windows Intune software and services, and many third-party applications created by enterprises, established software vendors, and enterprise-focused startups are working with Windows Azure Active Directory.
Each time a new organization signs up for Office 365, Microsoft automatically create a new Windows Azure Active Directory that is associated with the Office 365 account. No action is required on the part of the individual signing up.
With an Active Directory in place, the owner of the Office 365 account is able to add users to the directory. The owner of the account is also able to manage passwords for the users, determine what roles they are in and which applications they can access, and so on.
All the applications in Office 365 - Microsoft Exchange Online, SharePoint Online, Lync Online, and Office Web Apps - work with Windows Azure Active Directory, so users get single sign on. Moreover, advanced Active Directory capabilities like information protection are available using this common identity. The Windows Azure Active Directory SSO capability can be used by any application, from Microsoft or a third party running on any technology base. So if a user is signed in to one application and moves to another, the user doesn?t have to sign in again.
Once an application establishes SSO with Windows Azure Active Directory, the application can use information in the directory, including information about people, groups, security roles, and so on. This makes an application more current and relevant, and it can save users a lot of time and energy because they don't need to re-create, sync, or otherwise manage this information for each application that they use.
Office 365 users don't get a separate bill for their use of Windows Azure Active Directory; the costs of using Windows Azure and Windows Azure Active Directory are incorporated in the overall cost of the Office 365 solution.
For organizations that are already using Active Directory for on-premises identity management, Microsoft makes it easy to "connect" Windows Azure Active Directory with an existing directory. At the technical level, organizations can enable identity federation and directory synchronization between an existing Active Directory deployment and Windows Azure Active Directory.
When an organization does this, its Active Directory is, in a sense, stretching over both an on-premises and a cloud deployment.
In addition, being able to operate in this hybrid mode is critical for some organizations because of business or regulatory requirements that mandate that certain critical information, such as passwords, be maintained in on-premises servers.
To make the Active Directory service operate at high scale and with very high availability (including the ability to do incremental servicing) and provide integrated disaster recovery, Microsoft made changes to the internal architecture of Active Directory and moved from a server-based system to a scale-out, cloud-based system. For example, instead of having an individual server operate as the Active Directory store and issue credentials, Microsoft splits these capabilities into independent roles. The company made issuing tokens a scale-out role in Windows Azure, and partitioned the Active Directory store to operate across many servers and between data centers.