I'm Eran Dvir, a lead program manager in Active Directory; in a previous post I described how to quickly access our new application access enhancements in Windows Azure Active Directory. In this post I wanted to extend that by explaining how existing Office 365 subscribers can access these capabilities. There are a number of documents out there describing how to activate Windows Azure Active Directory on any existing Microsoft Services subscription you may have, most notably a walk through video by Matt Steele. This posting will help better understand the relationship between Office 365 and Windows Azure AD and provide one easy path to add the applications access enhancements features to your existing Office 365 subscription.
To get started, how does Windows Azure Active Directory fit with Office 365? In general terms Windows Azure AD is the primary directory for all organizational Microsoft online services including Office 365, Windows Intune and Microsoft Dynamics. There are a number of ways to manage your Windows Azure AD; Office 365 and Dynamics subscribers often use the Office 365 management portal or PowerShell, similarly, Windows Intune subscribers can accomplish basic identity functions on Windows Intune administrator portal. Earlier in the year we released the Azure Active Directory administrative portal as a part of Windows Azure portal. While there will be ongoing investments in the various applications' management portals, rich identity and access management capabilities will be exposed through the Windows Azure Active Directory portal first. For example, today you can already evaluate application access enhancements for Windows Azure AD by accessing your directory through the Windows Azure portal. With this feature you can easily setup single sign-on to cloud-based applications and enable your users to easily discover and access these applications with the Windows Azure Access Panel.
To access Windows Azure portal for your existing Office 365 subscriptions all you need is to activate a free Windows Azure subscription on your existing account. The following instructions walk you through this process in detail.
Note: Any changes made to your directory through the Windows Azure AD portal will take effect on your Office 365 service immediately. We do not recommend using our preview features on a production Office 365 tenant!
As always we really appreciate your feedback, the easiest way to contact us to let us know what you think, if anything is missing, or if something didn't work as expected is through email. If you are interested in a closer engagement with our engineering team regarding application access enhancements for Windows Azure Active Directory you can also register through this survey.
Windows Azure Management Portal – http://manage.windowsazure.com
Access Panel - https://account.activedirectory.windowsazure.com/applications
Application access enhancements for Windows Azure Active Directory technical reference -http://technet.microsoft.com/en-us/library/dn308590.aspx
Windows Azure preview features - http://www.windowsazure.com/en-us/services/preview/
Active Directory Team Blog - http://blogs.technet.com/b/ad/
Using an existing Windows Azure AD Tenant with Windows Azure - http://blogs.technet.com/b/ad/archive/2013/04/29/using-a-existing-windows-azure-ad-tenant-with-windows-azure.aspx
Using the following instructions you will:
If you already have a Windows Azure subscription on your Office 365 global administrator you can proceed to step 2.
To get started all you need is your Office 365 Global Administrator account and an account for your favorite cloud-based application.
You may be prompted to re-authenticate when access the signup page.
You will next be prompted to add and validate a contact phone number.
You will then be prompted to add your payment information (you will need a credit card to activate the Windows Azure trial subscription but there will be no cost for usage of application access enhancements for Windows Azure Active Directory) and finally to confirm the Windows Azure Agreement.
Welcome to Windows Azure! You have completed your trial tenant signup you will now be redirected to the Windows Azure subscription management page and can proceed to the Windows Azure management portal by clicking on the "Portal" button at the top right corner of your screen.
This will bring up the Windows Azure application gallery; the list has quite a few applications and will continue to expand every few weeks. In this example we will select the application "Skype". This can be done by selecting the "Telecommunications" category on the left hand pane, selecting the "Skype" application in the middle pane and confirming by clicking the checkmark on the bottom right.
Once an application is added to your directory you can assign the application to specific users through the users tab under the application. Here you can select the right users and use the "Enable Access" button at the bottom to grant access. If the application is configured with password single sign-on, as is the case in this example, you can also configure the user's credential (username and password) for this application. This can be done by ticking the checkbox "I want to enter the Skype credentials on behalf of the user" while enabling access or though the "edit account" button after the access has been enabled. If you choose not to do this the user will be able to enter their own credential through the Access Panel. It is important to note that users can only see in the Access Panel those applications the administrator has granted them access.
Now, browse back to the Application tab, you can do this by clicking on the back button in the portal, here you can see the Microsoft Office365 Exchange and SharePoint applications.
When clicking on the Skype application tile for the first time you may be prompted to download and install a browser extension. The extension is needed to support the password single sign-on functionality. If this is the case please follow the browser specific instructions.
Once the browser extension is installed the user can configure their Skype credentials (username and password) by clicking on the Skype tile or by using the configure option. If you have assigned credentials for this user they will not need to perform this step and instead will be redirected and signed into the application.
From now on the user can access their Skype account using Windows Azure Active Directory by selecting the Skype tile on the Access Panel.
As explained above the Windows Azure Access Panel can be used to access all your cloud based applications, in this example you can also access your Office 365 Outlook and SharePoint through the Access Panel tiles.
Following these instructions you have just added a Windows Azure trial subscription to your Office 365 account, taken your first steps in managing your directory through Windows Azure AD, and assigned an application to your trial directory users. You also got a first view of the end user experience through the Access Panel and used Windows Azure Active Directory to access this application.
You can continue exploring the administrator and end user functionality, adding more applications through the application gallery, configuring user provisioning, assigning applications to specific users.
I hope you'll find these instructions helpful! I'm looking forward to seeing even more of you using the Application Access enhancements for Windows Azure AD!
Tried to leave a comment... but it didn't take. I am not going write it again. *sigh*
Ok.. let's try this post again.
Please tell me this isn't going into production. The azure sign up page asks for my info all over again, when it shows I am signed in!? It should have populated from my office365 tenant... So no, I am not going to type in yet another name, phone number, credit card info when all of that is already in office365. Isn't is suppose to be ONE federated login for all Azure apps?? What happened? I bet all my users will have to do the same too. And for every application. I might as well accidentally enter that info into google once, and get all their apps...
Also, it's crazy to charge for identity management. Identity management that leads to application like Skype where business are willing to pay for skype credits for employee use because Lync just doesn't cut it. How many times do we need to enter that billing info again? once for office365, once for azure, once for skype? Arrrgh!
@DraconPern - yes, it's definitely suboptimal. For historical (dumb) reasons, Office and Azure are on different billing systems. We are working to fix this now so that we don't have to ask you to sign up over and over again. Sorry about the inconvenience her.