Cloud Insights from Brad Anderson, Corporate Vice President, Enterprise Client & Mobility
Part 6 of a 9-part series.
Leaders in any industry have one primary responsibility in common: Sifting through the noise to identify the right areas to focus on and invest their organization’s time, money, and people. This was especially true during our planning for the 2012 R2 wave of products; and this planning identified four key areas of investment where we focused all our resources.
These areas of focus were the consumerization of IT, the move to the cloud, the explosion of data, and new modern business applications. To enable our partners and customers to capitalize on these four areas, we developed our Cloud OS strategy, and it immediately became obvious to us that each of those focus areas relied on consistent identity management in order to operate at an enterprise level.
For example, the consumerization of IT would be impossible without the ability to verify and manage the user’s identity and devices; an organization’s move to the cloud wouldn’t be nearly as secure and dynamic without the ability to manage access and connect people to cloud-based resources based on their unique needs; the explosion of data would be useless without the ability to make sure the right data is accessible to the right people; and new cloud-based apps need to govern and manage access just like applications always have.
In the 13+ years since the original Active Directory product launched with Windows 2000, it has grown to become the default identity management and access-control solution for over 95% of organizations around the world. But, as organizations move to the cloud, their identity and access control also need to move to the cloud. As companies rely more and more on SaaS-based applications, as the range of cloud-connected devices being used to access corporate assets continue to grow, and as more hosted and public cloud capacity is used companies must expand their identity solutions to the cloud.
Simply put, hybrid identity management is foundational for enterprise computing going forward.
With this in mind, we set out to build a solution in advance of these requirements to put our customers and partners at a competitive advantage.
To build this solution, we started with our “Cloud first” design principle. To meet the needs of enterprises working in the cloud, we built a solution that took the power and proven capabilities of Active Director and combined it with the flexibility and scalability of Windows Azure. The outcome is the predictably named Windows Azure Active Directory.
By cloud optimizing Active Directory, enterprises can stretch their identity and access management to the cloud and better manage, govern, and ensure compliance throughout every corner of their organization, as well as across all their utilized resources.
This can take the form of seemingly simple processes (albeit very complex behind the scenes) like single sign-on which is a massive time and energy saver for a workforce that uses multiple devices and multiple applications per person. It can also enable the scenario where a user’s customized and personalized experience can follow them from device to device regardless of when and where they’re working. Activities like these are simply impossible without a scalable, cloud-based identity management system.
If anyone doubts how serious and enterprise-ready Windows Azure AD already is, consider these facts:
Windows Azure AD is battle tested, battle hardened, and many other verbs preceded by the word “battle.”
But, perhaps even more importantly, Windows Azure AD is something Microsoft has bet its own business on: Both Office 365 (the fastest growing product in Microsoft history) and Windows Intune authenticate every user and device with Windows Azure AD.
In this post, Vijay Tewari (Principle Program Manager for Windows Server & System Center), Alex Simons (Director of Program Management for Active Directory), Sam Devasahayam (Principle Program Management Lead for Windows Azure AD), and Mark Wahl (Principle Program Manager for Active Directory) take a look at one of R2’s most innovative features, Hybrid Identity Management.
As always in this series, check out the “Next Steps” at the bottom of this post for links to wide range of engineering content with deep, technical overviews of the concepts examined in this post.
* * *
Today’s hybrid IT environment dictates that customers have the ability to consume resources from on-premises infrastructure, as well as those offered by service providers and Windows Azure. Identity is a critical element that is needed to provide seamless experiences when users access these resources. The key to this is using an identity management system that enables the use of the same identities across providers.
Previously on the Active Directory blog, the Active Directory team has discussed “What’s New in Active Directory in Windows Server 2012 R2,” as well as the features which support “People-centric IT Scenarios.” These PCIT scenarios enable organizations to provide users with secure access to files on personal devices, and further control access to corporate resources on premises.
In this post, we’ll cover the investments we have made in the Active Directory family of products and services. These products dramatically simplify Hybrid IT and enable organizations to have a consistent management of services using the same identities for both on-premises and the cloud.
First, let’s start with some background.
Today, Active Directory in Windows Server (Windows Server AD) is widely adopted across organizations worldwide, and it provides the common identity fabric across users, devices and their applications. This enables seamless access for end users – whether they are accessing a file server from their domain joined computer, or accessing email or documents on a SharePoint server. It also allows IT to set access policies on resources, and is the foundation for Exchange and many other enterprise critical capabilities.
Today’s Hybrid IT world is focused on driving efficiencies in infrastructure services. As a result we see organizations move more application workloads to a virtualized environment. Windows Azure provides infrastructure services to spin up new Windows Server machines within minutes and make adjustments as usage needs change. Windows Azure also enables you to extend your enterprise network with Windows Azure Virtual Network. With this, when applications that rely on Windows Server AD need to be brought into the cloud, it is possible to locate additional domain controllers on Windows Azure Virtual Network to reduce network lag, improve redundancy, and provide domain services to virtualized workloads.
One scenario that has already been delivered (starting with Windows Server 2012) is enabling Windows Server 2012’s Active Directory Domain Services role to be run within a virtual machine on Windows Azure.
You can evaluate this scenario via this tutorial and create a new Active Directory forest in servers hosted on Windows Azure Virtual Machines. You can also review these guidelines for deploying Windows Server AD on Windows Azure Virtual Machines.
We have also been building a new set of features into Windows Azure itself – Windows Azure Active Directory. Windows Azure Active Directory (Windows Azure AD) is your organization’s cloud directory. This means that you can decide who your users are, what information to keep in the cloud, who can use or manage that information, and what applications or services are allowed to access it.
Windows Azure AD is implemented as a cloud-scale service in Microsoft data centers around the world, and it has been exhaustively architected to meet the needs of modern cloud-based applications. It provides directory, identity management, and access control capabilities for cloud applications.
Managing access to applications is a key scenario, so both single tenant and multi-tenant SaaS apps are first class citizens in the directory. Applications can be easily registered in your Windows Azure AD directory and granted access rights to use your organization’s identities. If you are a developer for a cloud ISV, you can register a multi-tenant SaaS app you've created in your Windows Azure AD directory and easily make it available for use by any other organization with a Windows Azure AD directory. We provide REST services and SDKs in many languages to make Windows Azure AD integration easy for you to enable your applications to use organizational identities.
This model powers the common identity of users across Windows Azure, Microsoft Office 365, Dynamics CRM Online, Windows Intune, and third party cloud services (see diagram below).
For those of you who already have a Windows Server AD deployment, you are probably wondering “What does Windows Azure AD provide?” and “How do I integrate with my own AD environment?” The answer is simple: Windows Azure AD complements and integrates with your existing Windows Server AD.
Windows Azure AD complements Windows Server AD for authentication and access control in cloud-hosted applications. Organizations which have Windows Server Active Directory in their data centers can connect their domains with their Windows Azure AD. Once the identities are in Windows Azure AD, it is easy to develop ASP.NET applications integrated with Windows Azure AD. It is also simple to provide single sign on and control access to other SaaS apps such as Box.com, Salesforce.com, Concur, Dropbox, Google Apps/Gmail. Users can also easily enable multi-factor authentication to improve security and compliance without needing to deploy or manage additional servers on-premises.
The benefit of connecting Windows Server AD to Windows Azure AD is consistency – specifically, consistent authentication for users so that they can continue with their existing credentials and will not need to perform additional authentications or remember supplementary credentials. Windows Azure AD also provides consistent identity. This means that as users are added and removed in Windows Server AD, they will automatically gain and lose access to applications backed by Windows Azure AD.
Because Windows Azure AD provides the underlying identity layer for Windows Azure, this ensures an organization can control who among their in-house developers, IT staff, and operators can access their Windows Azure Management Portal. In this scenario, these users do not need to remember a different set of credentials for Windows Azure because the same set of credentials are used across their PC, work network, and Windows Azure.
Connecting your organization’s Windows Server AD to Windows Azure AD is a three-step process.
First, your organization may already have Windows Azure AD. If you have subscribed to Office365 or Windows Intune, your users are automatically stored in Windows Azure AD and you can manage them from the Windows Azure Management Portal by signing in as your organization’s administrator and adding a Windows Azure subscription.
This video explains how to use an existing Windows Azure AD tenant with Windows Azure:
If you do not have a subscription to one of these services, you can create a new Windows Azure AD tenant by following this link to sign up for Windows Azure as an organization.
Once you sign up for Windows Azure, sign in as the new user for your tenant (e.g., “email@example.com”), and pick a Windows Azure subscription. You will then have a tenant in Windows Azure AD which you can manage.
When logged into the Windows Azure Management Portal, go to the “Active Directory” item and you will see your directory.
Next, you can bring in your users from your existing AD domains. This process is outlined in detail in the directory integration roadmap.
After clicking the “Active Directory” tab, select the directory tenant which you are managing. Then, select the “Directory Integration” option.
Once you enable integration, you can download the Windows Azure Active Directory Sync tool from the Windows Azure Management portal, which will then copy the users into Windows Azure AD and continue to keep them updated.
Finally, for authentication we’ve made it simple to provide consistent password-based authentication across both domains and Windows Azure AD. We do this with a new password hash sync feature.
Password hash sync is great because users can sign on to Windows Azure with the password that they already use to login to their desktop or other applications that are integrated with Windows Server AD. Also, as the Windows Azure Management portal is integrated with Windows Azure AD, it supports single sign-on with an organization’s on-premises Windows Server AD.
If you wish to enable users to automatically obtain access to Windows Azure without needing to sign in again, you can use Active Directory Federation Services (AD FS) to federate the sign-on process between Windows Server Active Directory and Windows Azure AD.
In Windows Server 2012 R2, we’ve made series of improvements to AD FS to support Hybrid IT.
We blogged about it recently in the context of People Centric IT in this post, but the same concepts of risk management apply to any resource that is protected by Windows Azure AD. AD FS in Windows Server 2012 R2 includes deployment enhancements that enable customers to reduce their infrastructure footprint by deploying AD FS on domain controllers, and it supports more geo load-balanced configurations.
AD FS includes additional pre-requisite checking, it permits group-managed service accounts to reduce downtime, and it offers enhanced sign-in experiences that provide a seamless experience for users accessing Windows Azure AD based services.
AD FS also implements new protocols (such as OAuth) that deliver consistent development interfaces for building applications that integrate with Windows Server AD and with Windows Azure AD. This makes it easy to deploy an application on-premises or on Windows Azure.
For organizations that have deployed third-party federation already, Shibboleth and other third-party identity providers are also supported by Windows Azure AD for federation to enable single sign-on for Windows Azure users.
Once your organization has a Windows Azure AD tenant, by following those steps your organization’s users will be able to seamlessly interact in the Windows Azure management, as well as in other Microsoft and third-party cloud services. And all of this can be done with the same credentials and authentication experiences which they have with their existing Windows Server Active Directory.
As IT organizations evolve to support resources that are beyond their data centers, Windows Azure AD, the Windows Server AD enhancements in Windows Server 2012, and Windows Server 2012 R2 provide seamless access to these resources.
In the coming weeks you will see more details of the Active Directory enhancements in Windows Azure and in Windows Server 2012 R2 on the Active Directory blog.
* * *
This post is just the first of three Hybrid IT posts that this “What’s New in 2012 R2” series will cover. Next week, watch for two more that cover hybrid networking and disaster recovery. If you have any questions about this topic, don’t hesitate to leave a question in the comment section below, or get in touch with me via Twitter @InTheCloudMSFT.
To learn more about the topics covered in this post, check out the following articles. You can also obtain a Windows Azure AD directory by signing up for Windows Azure as an organization.