Welcome to this series of blog posts about Hybrid Identity!
Over the next few days, we want to talk about Hybrid Identity and, in particular, Microsoft Azure Active Directory. Hybrid Identity is part of the realm of Identity and Access Protection, which refers to the technologies, features, and processes that allow you to work with user identity information both in the cloud and on-premises (hence the term hybrid). Some organizations will be cloud only, some may remain on-premises only; but the majority of us need to work in both worlds.
Achieving your goals of ubiquitous access with the needed dose of control and protection begins with building a consistent approach to identity. Identity includes all of the traditional elements of identification, authentication, and authorization but must now include looking at devices, content classification, the network used to access resources, and even the geographic location, as well.
Microsoft offers an approach to identity and protection that ties this all together, giving you flexibility and control. Watch our Master of Mobility video to see hybrid identity in action.
Now that you’ve watched the video, let’s talk about how you can start creating a consistent user identity in the data center.
We begin with Active Directory. Active Directory has been around for 15 years and has continued to grow with the times. It remains a core piece of infrastructure for authentication and authorization for your on-premises solutions, but it has evolved. Some organizations, or perhaps some specific projects in larger organizations, will begin with a new directory in the cloud, but for most organizations, an identity store or repository already exists, often in the form of Active Directory Domain Services (AD DS).
In most large organizations, AD DS is only the beginning. Information about users is scattered across any number of systems and databases. Especially as organizations move to role-based access and embrace policy-based governance and automated provisioning, information from human resources and line-of-business systems must be used together with traditional user directories, and everything must be kept in sync.
Before considering the cloud, look at how to build a consistent identity across these systems. The main goals are to consolidate information into one central directory (or, when necessary, synchronize it across required systems) and reduce the number of credentials (user names and passwords) that a user has to use to access all of the resources they are authorized to use. The main tool that allows this is Microsoft Identity Manager.
By using Identity Manager, you reduce the administrative burden that IT staff have to carry, support automation of on‑boarding new users, and provide easy ways to deprovision users from multiple systems (computers, building access, anything stored in a database) when someone leaves the organization.
Another use of Identity Manager is to automatically synchronize user information among different directories and databases across the enterprise, making everyone more productive and keeping users’ identities consistent across all sorts of business systems. Identity Manager can also be configured to use its built-in workflow management to ensure that the right approvals are in place before changes are made.
To recap, AD DS provides a solid foundation for identity in an organization; Identity Manager extends a consistent identity across on‑premises databases and directories. But what about those systems that aren’t part of your on-premises infrastructure? What about partners? What about the cloud?
As we mentioned earlier, most organizations have to deal with preexisting pools of user information. For many years, the core of most Windows-based authentication has been AD DS, but especially as we look at cloud-based and public-facing projects, websites, and activities, a number of other applications and repositories are often found to be in play. Some of the most common include:
Any complete identity solution is going to have to take these items into account. Luckily for our hero, Microsoft has several solutions and ways to address this.
NEXT BLOG POST IN THIS SERIES: On-boarding to the Cloud
Comments in this blog are open and monitored for each post for a period of two weeks after the posting date. If you have a specific question about a blog post that is older than two weeks, please submit your question via our Twitter handle @MSCloud