Cloud based Identity and Access Management for every user on every device

Cloud based Identity and Access Management for every user on every device

  • Comments 28
  • Likes

Howdy folks!

We're happy to announce that the Azure Active Directory (AD) Premium service will reach general availability (GA) in April 2014. Azure AD Premium is an identity and access management service designed to meet the demanding requirements of large enterprises.

For those of you not familiar with Microsoft Azure Active Directory it provides an easy single sign on experience to over 1100 cloud services like Box, Concur, Salesforce.com, and Microsoft cloud services like Office 365, Windows Intune and Dynamics CRM – on nearly every device and many browsers. With Azure AD Premium customers can reset forgotten passwords, manage their groups and set up company branded portals for launching these SaaS applications with a single set of corporate credentials.  IT can protect data and resources on any cloud with synchronization to on-prem directories, machine based learning security reports, alerting and multi-factor authentication. Azure AD provides a rich standards-based platform that enables developers to deliver authentication and access control to their applications, based on centralized policy and rules.

Azure AD Premium provides identity and access management capabilities in the cloud with a 99.9% SLA, and no limitation on the number of resources in your directory.

  • Application access management. Azure AD provides employees with single sign-on access to their cloud applications from many different browsers and mobile devices. With recent additions there over 1200 cloud applications in the AD Application Gallery. Azure AD Premium lets you assign application access to users using groups, which enables you to efficiently manage the end-to-end workflows for application access.
  • Self-service password reset. Our self-service password reset feature enables your employees to reset their passwords without calling your helpdesk. In April we will release a preview of our password write-back feature, which lets you use Azure AD Premium to reset on-premises passwords in Windows Server Active Directory.
  • Self-service group management: Our self-service group management feature gives you the ability to delegate group management to your employees. With this feature they can create groups, and manage memberships in groups they own. For our general availability release we've added policy controls for administrators and for owners of groups, and enhanced the visual design to provide a better experience for end users.
  • Multi-Factor Authentication: Our Multi-Factor Authentication feature enables you to quickly and easily set up a Multi-Factor Authentication solution for your enterprise without deploying new software in your local network or distributing hardware to your employees.
  • Customized branding. AD Premium enables you to brand the sign in experience that end users see when they sign on to applications or use their Access Panel. We recently improved this functionality so that users see your organization-specific branding across more of their sign-in experiences.
  • Reporting, alerting, and analytics: Our reporting, alerting and analytics capabilities give you visibility into potential security concerns and into cloud application usage by users in your organization. For our general availability release we've added new reports that give you visibility into sign-ins from devices that may be compromised by malware, and increased visibility into cloud application usage.

Finally, Azure AD Premium also includes usage rights for Forefront Identity Manager Server and Client Access Licenses.  

Azure AD Premium will be available for purchase through Microsoft's Enterprise Agreement volume licensing program. Once you have AD Premium, you can try out the administration experience by signing on to https://manage.windowsazure.com and opening your directory. You can try out the end user experience at https://myapps.microsoft.com. And for an overview and comparison of the AD Premium and AD Free services, click here.

Manage access to over 1100 applications

By April 2014 we will have over 1100 application in the Azure AD Application Gallery for which you can manage access by users in your organization. We're adding applications rapidly: we've added more than 500 apps since November.

Fig 1: Azure AD Application Gallery

Users of both the Azure AD Free and the Azure AD Premium service can access applications to which they're assigned at https://myapps.microsoft.com or using our iOS application.

Self-Service Password Reset – password writeback from the cloud to your local AD

Azure AD Premium lets you easily deploy a self-service password reset solution for your organization. First, you define the security policy that specifies how your users can reset their own passwords. Next, each user registers for self-service password reset by entering or verifying their contact information. Then, when a user forgets their password, they can reset it themselves without calling helpdesk.

In April 2014, we'll introduce a preview of our "password writeback" functionality that enables a user to reset their password using Azure AD and have that new password be written back to your Windows Server AD. This reduces the cost for you to manage your local AD because users will no longer need to call helpdesk for assistance in resetting a forgotten password to your local network, and you won't need to maintain another password reset solution in your local network.

The password writeback feature the AD Premium service enables your enterprise to build on your existing assets for user identity. It provides your users with a self-service experience, reduces your costs for managing existing systems, and helps you to protect your business.

Policy Control for Self-Service Group Management

With our general availability release we're adding more controls to our self-service group management experience for both administrators and group owners. You can see the group management policies on the CONFIGURE tab of your directory.

Fig 2: Configuring administrative policies for self service group management

We've also added functionality that lets group owners choose a membership policy for their groups:

  • Open. Any user in the organization can add themselves as a member of a group without approval from the group owner.
  • Owner approval. Any user in the organization can add themselves as a member of a group, subject to approval by the owner of the group.
  • Closed. Only the owner of the group can add members to the group.

Fig 3: Configuring membership policy by owner of a group

We've also improved the visual design of the self-service group management functionality to provide a more attractive and consistent experience for end users.

Fig 4: Updated visual design for self-service group management experience

Multi-Factor Authentication

Azure AD Premium enables you to protect your business using Azure Multi-Factor Authentication. You can quickly and easily select which users in your organization must use Multi-Factor Authentication to sign in. The first time one of those users signs in, he or she can choose a preferred contact method: a phone call, an SMS message, or a notification from an app on their Windows Phone, Android or iOS device. Then, each time that user signs in, the service contacts him or her using this method, with options to fall back to other methods if the primary option is not available.

Fig 5: Configuring users for Multi-Factor Authentication

Our Multi-Factor Authentication service enables you to customize voice greetings and many other settings that control the behavior of the service. You can even deploy our Multi-Factor Authentication service on your corporate network to control access to resources as ADFS, RAS or IIS web applications. For more detail on our Multi-Factor Authentication service, see this blog post.

Fig 6: Administration experience for configuring Multi-Factor Authentication settings

Customized branding improvements

Azure AD Premium provides functionality to let you customize the experience that your users see when they sign in to applications, and when they access their Access Panel at https://myapps.microsoft.com. We've recently enhanced this experience so that users see this customized branding in a much broader range of scenarios where users sign in to Azure AD. To learn more about this, read this blog post.

To try out customized branding, sign in to the Windows Azure Management Portal, open your directory, click on the CONFIGURE tab, and click the CUSTOMIZE BRANDING button.

Fig 7: Configuring custom branding

There you can enter strings and upload graphics which will be used when your users sign in, or use their Access Panel.

Fig 8: Sign-in experience with customized branding

New Reports improve visibility into user security and cloud application usage

With our GA release we've added new reports which improve your visibility into the security of user accounts in your organization, as well as your users' usage of cloud applications. We now provide nine organizational reports, seen on the REPORTS tab of the directory, and a per-user report which is available when looking at a particular user in the Azure management portal.

Fig 9: list of organizational reports in Azure AD Premium

Our newest security report shows user sign-ins from possibly infected devices, based on Microsoft's analysis of IP addresses from which we observed attempts to contact servers hosting known malware.

Fig 10: report of sign ins from possibly infected devices

In addition, we've enhanced our application usage reporting with a new report that provides a summary view of usage across all integrated applications. It shows the list of applications which have been accessed in a specified time interval, and for each application, the number of unique users who attempted to access the application as well as the total number of access attempts. This data is based on clicks on the application's tile in the Access Panel. This report is available on the REPORTS tab.

Fig 11: Application usage report

Enabling users to use Azure AD Premium

Azure AD Premium is sold on a per-user license basis. Only users who are assigned a license to Azure AD Premium can use the Azure AD Premium features, such as self-service password reset, self-service group management, or group-based access to applications.

With this release, we've added functionality in the Azure Management portal for you to see the license plans for your organization, and to assign and remove licenses to users. To see the license plans available in your organization, sign in to the Azure Management portal, open your directory, and click the LICENSES tab.

Fig 12: License plans in an organization

To assign licenses to users, select a license plan and click ASSIGN in the command bar at the bottom of the screen.

Fig 13: Assigning licenses to users in an organization

Let us know what you think! Whether it's a feature you love, something you'd like to see us add, questions about how something works, or even if it's an experience that drives you crazy, we really appreciate all the questions and feedback and you give us at the Windows Azure AD Forum.

Best regards,

Alex Simons (twitter: Alex_A_Simons)

Director of Program Management

Active Directory

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment
  • A multi-month effort is coming to light ! Great stuff team . Congrats !

  • This is looking great!

  • When you add a user say to an open group, will that get replicated to the on-premise domain group?

    The group mgmt. is interesting but the use cases that I see is that approval is not always by owner. The approval could be open, by group owner(s) or by the employee's manager. This is a good start!

  • @JES: Thanks for the feedback! We will turn on a preview of replicating back to on-premise AD in the next ~30 days or so. In terms of approval workflow/lifecycle management for groups you will see us add a lot of richness in the coming months.

  • This is one technology that I would love to be able to use for myself. It’s definitely a cut above the rest and I can’t wait until my provider has it. Your insight was what I needed. Thanks

    http://www.lgnetworksinc.com/managed-services/

  • This is excellent! Is a comprehensive list of the supported web apps published anywhere? It would be great if it were possible for customers to add any websites they want by simply associating an AD credential with the website credential. This would be useful in my healthcare environment where our users have so many usernames and passwords for customer EMR systems and payer inquiry systems, both of which contain PHI which we are charged with protecting. If the IT could control the underlying website password and the user never needs to know it, that would suit my needs for more obscure sites that Microsoft may never add support for.

  • Is there any alternative to an Enterprise Agreement to obtain AAD Premium? We don't have 250 PCs in our organisation but would see a clear benefit of using the Premium version for our cloud-based software offering. We have been trialling the Premium preview but are now facing being moved back to the free version :-(

  • How do we use this system to control physical access via smart doors?

  • Way back in 2013 I predicted all this. #thumbsup