Active Directory from on-premises to the cloud

Understanding the role of Identity Management as a Service (IDaaS)

As introduced and further discussed by the whitepaper Towards Identity as a Service (IDaaS) - Use cloud power to solve cloud era challenges, e.g. the introductory part of this series of documents part of the same series of documents available on the Microsoft Download Center, the cloud is changing the way in which applications are written.

Accelerated market cycles, multi-tenancy, pure cloud solutions and hybrid deployments, web programmability and the API economics, the rise of devices (smartphones, tablets, etc.) as well as rich clients as consumption models offer without any doubt new opportunities.

For consumers, social media is emerging as a key source of identity. Real world examples of this include organizations that have internet-centric business models. Consider music download sites such as Spotify that allow users to login using their Facebook identities make it far easier for users to sign up.

Furthermore, usage of social identities appears to be expanding into more conservative areas; for example, the UK government is evaluating Facebook as part of the Identity Assurance (IDA) program, a way of better enabling secure transactions between public sector bodies and citizens.

At the same time these changes present new challenges for the key services (both on-premises and in the cloud) that represent identity lifecycle management, provisioning, role management, authentication and security of users and devices requiring granular access. The net result is to propel identity to first rank of importance.

Key issues that require better identity capabilities include:

  • The "Bring Your Own Apps" (BYOA) for cloud and Software as-a-Service (SaaS) applications,
  • The desire to better collaborate a la Facebook within the "social" enterprise where organizations more and more expect to experience themselves as social networks,
  • The need to support and integrate with social networks, which lead to a "Bring Your Own Identity" (BYOI) trend,
  • The imperative of quickly becoming part of the API economy,

Identity becomes a service where identity "bridges" in the cloud "talk" to on-premises directories or the directories themselves move and/or are located in the cloud.

Identity, like compute, storage and networking, is an essential platform service. In the same way that identity played a critical role in the adoption of workgroup computing, identity services will play a critical role as organizations adopt the (hybrid) cloud, embracing and managing the "Bring Your Own Device" (BYOD) trend, and the API economy. Organizations (will) use cloud services and applications created by (cloud) ISVs, Platform-as-a-Service (PaaS) cloud platforms for (Line of Business (LOB)) custom development, (as well as Infrastructure-as-a-Service (IaaS) cloud environment for specific workloads to onboard the cloud for IT optimization reasons).

All of the above implies a new Identity Management model. This has to cut costs as well as deployment complexity – not increase them. Organizations need a specialized service that appropriately handles identity as well as security and privacy for them – with an increased level of specialization and professionalization adequate to emerging cyber threats. About the key understanding this leads to is how you get more capability for less money by leveraging cloud capabilities.

Kim Cameron, Microsoft Chief Identity Architect, is convinced that "organizations will find they need new identity management capabilities to take full advantage of the cloud. They will also find that the most reliable and cost-effective way to obtain these capabilities is through Identity Management as a Service – i.e. using the cloud to master the cloud."

We can therefore predict with certainty that almost all organizations will subscribe to these identity (hybrid) services. Enterprises will use these services to manage authentication and authorization of internal employees. But in the outward looking world that is emerging so quickly it will be just as important to manage access to services by an organization's supply chain, its customers (including individuals), its leads and prospects. Governments will use them when interacting with other government agencies, enterprises and citizens.

Identity Management as-a-Service (IDaaS), will directly attack these problems – simplifying life for government and enterprise service providers and their end users. Once again, by leveraging efficiencies of the cloud and automation to get efficiencies in identity, IDaaS can:

  • Offer ALL necessary high security and high privacy identity capabilities – while maintaining usability.
  • Provide a business centric portal for configuring identity services.
  • And finally cut costs.

These requirements and capabilities will drive almost all organizations to subscribe to identity services that are cheaper, broader in scope, more unifying and more capable than the systems of today.

Identity Management as a Service (IDaaS) will require that we move beyond the models of identity management that have guided our thinking to date. A new service-based model will emerge combining more advanced capabilities with externalization of operations to achieve reduction in risk, effort and cost. High end security capabilities will become utilities available even to the smallest organizations, resulting in a democratization of the safe Internet.

The next sections discuss in this context the Microsoft's Identity Offerings in the hybrid era.

Fulfilling the on-premises or private cloud's requirements

Microsoft has earned widespread adoption of its on-premises identity technology, a suite of capabilities packaged and branded as Windows Server Active Directory (WSAD). AD is used extensively by governments and enterprises world-wide. Its capabilities include:

  • Single Sign-On (SSO) and access control across a wide range of applications and resources.
  • Sharing of information between applications - for example, information about people, groups, reporting relationships, roles, contact information, printer locations, and service addresses.
  • Information protection that enables encryption and controlled access to documents.
  • Discovery of computers, printers, files, applications, and other resources.
  • Tools to manage users, groups, and roles; reset passwords; and configure and distribute cryptographic keys, certificates, access policies, and device settings.

Although referred to as "a directory" AD includes a wide gamut of identity services that implement (and have helped drive adoption of) many important standards. These include:

  • Active Directory Domain Services (AD DS) Directory identity store (which natively uses LDAP).
  • Kerberos Network Authentication Service (RFC 1510, RFC 4120, etc.).
  • Active Directory Certificates Services (AD CS) – X.509, PKIX, etc.
  • Active Directory Federation Services (AD FS) - Federation technologies such as WS-Federation and SAML 2.0.
    • Active Directory Lightweight Directory Services (AD LDS) Directory identity/application store (LDAP).

Related products like Microsoft Forefront Identity Manager (FIM) perform rule-based synchronization with many other identity stores:

  • Office 365, DSML, DB2, Tivoli, LDIF, Lotus, E-Directory, Oracle Database, SQL Server, Sun Directory Server 6.x, SAP, Oracle PeopleSoft, MySQL, and many others.

FIM also provides advanced self-management capabilities based on work flows; and rule-based smart card management.

AD is used extensively by governments and enterprises world-wide. AD is widely deployed in the Global 5000 today as their authoritative identity and access management system as well as in small and medium enterprises and we will not describe it further here.

The important new information here is that to meet the requirements of hybrid deployment AD can be extended into public clouds and/or into private clouds.

Extending AD to a Public Cloud

Azure Active Directory (Azure AD) has been designed to easily extend AD (in whole or in part) into the public Azure cloud as a directory whose content is owned and controlled by the organization providing the information.

This will be described in the next section.

In addition, for compatibility with existing on-premises applications, it is possible to install WSAD domain controllers (DCs) within Azure data centers where they can service requests from Azure applications running there in the Infrastructure Services.

As a broad usage workload type, WSAD DCs can be deployed either standalone or as part of a larger application, with or without on-premises connectivity (to the organization's identity infrastructure).

Note    Azure AD Domain Services, a cloud based service gives you a fully WSAD compatible set of API's and protocols, delivered as a managed Azure service. In other words, thanks to this new concept, you can now turn on support for all the critical directory capabilities your application and server VM's need, including Kerberos, NTLM, Group Policy and LDAP. For more information, see blog post #AzureAD Domain Services is now GA! Lift and shift to the cloud just got WAY easier! and article Azure AD Domain Services.

Azure Virtual Machines help moving (part of) your business, applications and infrastructure to the cloud without changing existing code in their own unique way, at their own unique speed.

As its name clearly indicates, Azure Virtual Machines provides support for virtual machines (VMs) provisioned from the cloud. At a glance, a VM consists of a piece of infrastructure available to deploy an operating system and an application. Specifically, this includes a persistent operating system (OS) disk, possibly some persistent data disks, and internal/external networking "glue"/connectivity to hold it all together. With these infrastructure ingredients, it enables the creation of a platform where you can take advantage of the reduced cost and ease of deployment offered by Azure. It's all the more so with the Infrastructure-as-code and Configuration-as-code advanced capabilities provided by Azure Resource Manager (ARM).

Note    For more information, see article Azure Resource Manager overview.

VMs indeed give you application mobility, allowing you to move your virtual hard disks (VHDs) back and forth between on-premises and the cloud.   This enables you to migrate your existing VM, to bring your own customized Windows Server or Linux images, etc.   As a common virtualization file format, VHD has been adopted by hundreds of vendors and is a freely available specification covered under the Microsoft Open Specification Promise (OSP). The new version VHDX is also available as a free specification covered under the OSP.

While "migration" is a simple goal for any IaaS offering, the ultimate objective consists in being able to run the exact same on-premises applications and infrastructure or part of them in the cloud and thus enabling onboarding and off-boarding of workloads in order to improve the agility of the organization, i.e. its ability to capitalize on new opportunities and respond to changes in business demands.

Such a process might involve transferring an entire multi-VM workload, which may require virtual networks for hybrid connectivity to an on-premises deployment. (This can be seen as a cross-premises deployment.)

To mimic an on-premises deployment with a multi-VM workload as needed here, virtual networks are also required. This is where Azure Virtual Networks come into play. Azure Virtual Networks let you provision and manage virtual networks (VNET) in Azure. A VNET provides the ability to create a logical boundary and place VMs inside it. VNET also provides the capability of connecting Azure Cloud Services (VMs, web roles, and worker roles).

Azure Virtual Network provides control over the network topology, including configuration of IP addresses, routing tables and security policies. A VNET has its own private address space. The address space is IPv4 and IPv6. With Virtual Network, you can easily extend your on-premises IT environment into the cloud, much the way that you can set up and connect to a remote branch office. You have multiple options to securely connect to a Virtual Network - you can choose an IPsec VPN or a private connection using the Azure ExpressRoute service.

To synthetize, Azure Virtual Network allows you to create private network(s) of VMs in your Azure tenant environment that you can assign IP addresses to, and then optionally connect to your data center through. Using this method, you can seamlessly connect on-premises (virtual) machines to VMs running in your Azure tenant.

The above capabilities enable the support of three typical key Microsoft workloads to deploy in the cloud:

  1. Active Directory. A hybrid identity solution with extensive networking expectations.
  2. SQL Server. A database workload with expectations for exceptional disk performance.
  3. SharePoint Server. A large-scale, multi-tier application with a load-balanced front-end. Moreover, SharePoint Server deployments include Active Directory and SQL Server.

These broad workload types can be deployed either standalone or as part of a larger application, with or without on-premises connectivity.

In the specific context of this paper, Azure Virtual Machines and Azure Virtual Network enable AD in Azure a reality of today.

The fundamental requirements for deploying AD on VM(s) in Azure differ very little from deploying it in VMs (and, to some extent, physical machines) on-premises. For example, if the domains controllers that you deploy on VMs are replicas in an existing on-premises corporate domain/forest, then the Azure deployment can largely be treated in the same way as you might treat any other additional AD site. That is, subnets must be defined in AD, a site created, the subnets linked to that site, and connected to other sites using appropriate site-links. There are, however, a number of differences that are common to all Azure deployments and some that vary according to the specific deployment scenario.

Before entering this path, we strongly advise to consider the benefits provided by Azure AD Domain Services in lieu of deploying AD on VM(s).

If your assessment confirms this direction, the articles Install a new Active Directory forest on an Azure virtual network and Guidelines for Deploying Windows Server Active Directory on Azure Virtual Machines cover the fundamental differences and explained in great detail how successfully deploy and operate AD in Azure. The former deals with a standalone configuration in the cloud whereas the latter highlights the requirements for deploying AD in a hybrid scenario in which AD is partly deployed on-premises and partly deployed on VMs in Azure.

Whatever the scenario is, and as you understand, AD in Azure simply means AD running in your VMs in your Azure tenant for the best compatibility with existing applications and for hybrid applications.

AD in Azure is NOT Azure AD, a REST-based service that provides identity management and access control capabilities for modern business applications.

Extending AD to a Private Cloud

AD can also be deployed as the backbone of a private cloud run in any data center chosen by the organization deploying it.

This private cloud backbone can be tightly connected as an integral part of the organization's on-premises AD or be loosely coupled (through MIM synchronization for example).

Taking on the challenges of the public cloud

Azure AD is Microsoft's vehicle for providing IDaaS capabilities in a public cloud. Microsoft's approach to IDaaS is deeply grounded in – and extends – the proven concepts of on-premises AD.

The foundational concept of on-premises AD is that the content of the directory is the property of the organization deploying it and access to and use of that content is completely under the organization's control. This is also the fundamental concept behind Azure AD.

Azure AD is NOT a monolithic directory of information belonging to Microsoft, but rather, at the time of writing, more than three million different directories belonging to and completely controlled by different organizations.

This architecture and commitment is called "multi-tenant" and great care has been provided to insulate tenants (organizations) from each other and from their service operator – Microsoft.

Furthermore, when efforts to create a new cloud based Identity Management as a Service (IDaaS) platform on Azure started a few years ago, Microsoft knew the world had changed (or was about to changed). To help you successfully bridge into the modern world of devices and cloud services, we were going to have to do a lot of things differently:

  • We were going to need to create new company directories in under a minute.
  • We were going to need to scale to millions of companies with billions of users. This is already the case for companies.
  • We were going to have to deliver rock solid reliability and assure that even when a datacenter went down, the Azure AD service wouldn't go down.
  • We were going to have to modernize our device support going beyond the PC and other Microsoft devices to support a diverse world of smartphones and tablets.
  • We were going to need to base our system on modern internet standards and protocols like OAuth 2.0, OpenID Connect, SCIM 2.0, and OData beyond the support of SAML 2.0, WS-Federation, and WS-Trust.
  • We were going to need to federate with popular on-premises enterprise federation servers from various vendors or open source communities along with consumer IDP's like Microsoft Account, Facebook, Google, Yahoo.
  • We were going to need to build a system that respected user privacy, company data ownership and geo-political data sovereignty laws.
  • We were going to need to provide world-class support developers and IT personnel working with non-Microsoft platforms.
  • We were going to have to make getting a directory friction free so that every company in the world could benefit from the power of an enterprise directory without requiring a cross-company planning and deployment team.

Taking all of the above as a starting point, we have re-engineered AD, to support massive scale, devices based on any operating system or architecture, modern business applications, modern protocols, high availability, and integrated disaster recovery.

Since we first talked about it in November 2011, Azure AD has shown itself to be a robust identity and access management service for Microsoft cloud services like Office 365, Dynamics 365, Intune and Azure to store user identities and other tenant properties. A number of people are (still) surprised to find out that every Office 365 customer already has an Azure AD directory.

Moreover, Azure AD is available for use by organizations who have applications running on any cloud platform or on-premises, and is offered as a service on the Azure Cloud platform (see below). Tenants can control the geographical region or regions in which their data resides.

The service operates more than 10 million of tenants and actually processes more than 1.3 billion, with a B, authentications every week. Since the release of the service, Azure AD has processed 1 trillion identity authentications. This is a real testament to the level of scale we can handle.

At a high level, Azure AD is a high availability, geo-redundant, multi-tenanted, multi-tiered cloud service that has delivered 99.99% uptime for over a year now. We run it across 32 regions around the world. Azure AD has stateless gateways, front end servers, application servers, and sync servers in all of those data centers. Azure AD also has a distributed data tier that is at the heart of our high availability strategy. Our data tier holds more than 750 million objects.

No other cloud directory offers this level of enterprise reliability or proven scale. Quoting from the report KuppingerCole Leadership Compass Cloud User and Access Management: "Looking at the Market Leadership chart, we see Microsoft being the clear leader. This is based on the fact that their Azure Active Directory on one hand shows good direct acceptance and on the other builds the foundation for widely used Microsoft Office 365. Furthermore, Microsoft has an exceptionally strong partner ecosystem."

Last year, Gartner in their Magic Quadrant (MQ) for Identity Management as a Service (IDaaS) [Gartner, June 2015] has placed Azure AD after its only first year of availability in the "Visionaries" MQ. Gartner has released their MQ for IDaaS for 2016 [Gartner June 2016] and Azure AD Premium has been placed in the "Leaders" quadrant, and positioned very strongly for our completeness of vision.

Important note    The above graphic was published by Gartner, Inc. as part of the larger research document - a complimentary access is provided here- and should be evaluated in the context of the entire document. Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner's research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.

As Alex Simons, Director of Program Management, Microsoft Identity and Security Services Division, says, "we're thrilled with the result. It really validates our vision of providing a complete solution for hybrid identity and access for supporting employees, partners and customers all backed by world class security based on Microsoft's intelligent security graph. This result says a lot about our commitment in the identity and access management space but more importantly about our customers, implementation partners and ISV partners who have worked together with us. They have been awesome about sharing their time and energy every day, to make sure that the products and services we build meet their needs and are helping them position their companies to thrive in the emerging world of cloud and devices.

You might be surprised to know that Microsoft also is the only vendor in the Leader quadrant across Gartner's Magic Quadrants for IDaaS, Cloud Infrastructure as a Service (IaaS), Server Virtualization, Application Platform as a Service, Cloud Storage Services, and as a leader across the data platform and productivity services. This really shows you why customers are choosing Microsoft across the full spectrum of cloud computing – our services are well integrated and also among the best available in their individual categories.

Our effort doesn't stop here. We have a lot of hard work ahead of us and we are planning to deliver more innovative capabilities to further improve our position in the "leaders" quadrant."

Note    For more information on the available Azure AD editions (Free, Basic, Premium P1 and Premium P2), see later in this document and/or the article Azure Active Directory editions.

Many applications, one identity repository

As a cloud based directory being optimized to support modern business applications and consequently modern protocols based on http/REST, Azure AD makes it easy at either regional or global scale to:

  • Provision users and registers device, and manage them and their lifecycle via a RESTful web API, the Graph API REST.
  • Deliver a (federated) single sign-on experience for:
    • (cloud-based) web applications and web APIs on Azure or in other clouds such Amazon Web Services (AWS),
    • Mobile and native applications (with or without a back-end (e.g. Mobile Backend as a Service (MBaaS) in the cloud like the one proposed through the Azure App Service - Mobile Apps).

Note    Using the Azure AD support, mobile business applications can use the same easy Mobile Services authentication experience to allow employees to sign into their mobile applications with their corporate Active Directory credentials. With this feature, Azure AD is supported as an identity provider in Mobile Services alongside with the other identity providers we already support (which include Microsoft Accounts, Facebook ID, Google ID, and Twitter ID).

  • Microsoft services like Office 365, Dynamics 365, and Intune, as well as 3rd party pre-integrated SaaS applications thus eliminating the need for multiple usernames and passwords and limiting helpdesk calls and password resets.

Note    To make the configuration even easier, thousands (2797 at the time of this writing) of cloud SaaS pre-integrated applications like ADP, Concur, Google Apps, Salesforce.com and others, regardless of the public Cloud they are hosted on, are preconfigured via an application gallery with all the parameters needed to federate with them.

Single sign-on is the ability for a user to login in once and not have to re-enter their credentials each time when accessing different applications, APIs, or clouds. This represents an important part of Azure AD because it delivers a secure, yet simple and seamless way for users to connect to their resources running somewhere in the cloud.

  • Manage user's conditional access control, a feature of Azure AD Premium P1 and Azure AD Premium P2 editions (see later in this document), to (cloud-based) web applications, web API, Microsoft cloud services, 3rd party SaaS applications, and native (mobile) client applications, and have the benefits of security, auditing, reporting all in one place.
  • Connect (cloud-based) web applications, web APIs, Microsoft cloud services, 3rd party SaaS pre-integrated applications, and native (mobile) client applications to the directory (tenant) through the use of REST/HTTP interfaces and to fully leverage the enterprise graph represented by the directory tenant.

Note    The approach of using standard REST interfaces to operate over a graph containing entities (nodes) and relationships (arcs) between entities - often referred to as a graph interface - is very common on the Internet nowadays. For more information on networks and graphs, we advise you reading the book entitled Networks, Crowds, and Markets: Reasoning About a Highly Connected World published by Cambridge University Press.

  • Revoke access to (cloud-based) web applications, web APIs, Microsoft cloud services, 3rd party SaaS applications, and native (mobile) client applications when an employee leaves the organization or changes jobs.
  • Manage federation and access to cloud facing services for partners and customers.

Interestingly enough, you can extend the above same experience to your on-premises applications as well, because increasingly you're managing both on-premises as well as cloud-based applications. With Azure AD Application Proxy, a feature of Azure AD Premium P1 and Azure AD Premium P2 editions (see later in this document) to secure remote access to on-premises based web applications that support any of the key open standards (SAML, OAuth 2.0, Kerberos, etc.) based authentication methods, you can indeed actually bring those on-premises traditional applications such as a SharePoint site right into Azure AD.

For applications that do not support the above standards, we have partnered with Ping Identity. "The result of this collaboration is "PingAccess for Azure AD", which will be available in public preview in early 2017. Our Azure AD Premium customers will be able to use this solution to connect to 20 on-premises web applications at no additional cost. And for organizations that need to use it for more than 20 applications, a full license will be available from Ping."

You thus have a true single control plane.

Delivering a seamless user authentication experience

For organizations who already run an on-premises identity infrastructure, Azure AD has everything needed to get your on-premises directory connected to the cloud and integrate with it.

Azure AD includes Azure AD Connect, a single and unified wizard that streamlines and automates the overall onboarding process for both directory synchronization with on-premises AD mono-forest and multi-forest environments, including password (hash of) hash synchronization (PHS), pass-through authentication (PTA) in preview or single sign-on (SSO) if you want to.

Azure AD Connect is now the one stop shop for connecting your on-premises directories to Azure AD, whether you are evaluating, piloting, or in production.

Note    For more information, see article Integrating your on-premises identities with Azure Active Directory.

Azure AD Connect is the best way to connect your on-premises directory with Azure AD and Office 365. Azure AD Connect is replacing DirSync and Azure AD Sync and these two older sync engines are deprecated from April 13, 2016 reaching end of support April 13,2017.

Note    Interestingly, Azure AD Connect allows upgrading or migrating your existing DirSync or Azure AD Sync deployment quickly and easily with little or no impact. For more information, see article Upgrade Windows Azure Active Directory Sync ("DirSync") and Azure Active Directory Sync ("Azure AD Sync").

Important note    Customers using DirSync or Azure AD Sync will continue to synchronize after April 13, 2017 but they not be able to receive support for their synchronization tool. They must upgrade to the latest version of Azure AD Connect in order to receive support.

Important note    Customers running Azure AD Connect 1.0.x.0 also received the message to upgrade to the latest version of Azure AD Connect in order to receive support. Microsoft recommends customers to stay current with Azure AD Connect releases. For a full list of fixes and improvements over the time of Azure AD Connect, see article Azure AD Connect: Version Release History.

Azure AD Connect offer a rich set of sync capabilities such as:

  • Control over which attributes are synchronized based on desired cloud services to consume..
  • Ability to set up the connection to Active Directory with minimal Windows Server AD privileges.
  • Setup synchronization rules by mapping attributes and controlling how the values flow to the cloud.

and, with the Azure AD Premium P1 or P2 editions, also a rich set of write-back capabilities with the ability to enable:

  • Provisioning from the cloud with user write back to on-premises AD.
  • Write back of "Groups in Office 365" to on-premises distribution groups in a forest with Exchange.
  • Device write back so that for example on-premises access control policies enforced by AD FS can recognize devices that registered with Azure AD (more on this later in this document). This includes the recently announced support for Azure AD Join in Windows 10.

Note    For more information, see whitepaper Azure AD & Windows 10: better Together for Work and School.

  • Enable your users to perform self-service password reset in the cloud with write-back to on-premises AD.

Azure AD supports integration with AD FS and other third-party security token services (STS) such Shibboleth2, PingFederate, SiteMinder, etc. to provide a (federated cross-domain) single sign-on experience for corporate users while keeping user passwords on-premises - if the "same sign-on" experience enabled by the PHS or PTA features that Azure AD Connect can enable aren't sufficient and/or don't fulfill your security requirements.

Important note    In addition to the directory synchronization (single or multiple directories) and password sync, the above Azure AD Connect tool also allows to streamline the overall onboarding process for single sign-on and, as such, automatically performs the following steps: download and setup of all the prerequisites, download, setup, and/or configuration of AD FS – AD FS being the preferred STS, etc.

Note    The Azure Active Directory Connect Health (Azure AD Connect Health) cloud based service in the Azure portal helps you monitor and gain insight into health, performance and login activity of your on-premises identity infrastructure. As such, it offers you the ability to view alerts, performance, usage patterns, configuration settings, enables you to maintain a reliable connection to Azure AD and much more.

The currently available release in GA not only focusses on AD FS (i.e. Azure AD Connect Health for AD FS) but also on sync to allow you to monitor and gain insights into the sync service of Azure AD Connect (i.e. Azure AD Connect Health for sync). In addition, the monitoring of the AD DS infrastructure is now available in public preview (i.e. Azure AD Connect Health for AD DS).

Azure AD Connect Health is a feature of the Azure AD Premium P1 and P2 editions (see later in this document) and represents a key part of our effort to help you monitor and secure your cloud and on-premises identity infrastructure. For more information, see article Monitor your on-premises identity infrastructure and synchronization services in the cloud.

Connecting customers' existing on-premises directories to Azure AD fully satisfies the requirements of hybrid deployments and hybrid identities in this context, and provides unified authentication and access management for both cloud and on-premises services and systems, eliminating the need to maintain new, independent cloud directories. At the end, Azure AD provides your corporate users with a seamless, same sign-on (PHS or PTA) or (federated) single sign-on experience across all your applications, while simplifying the adoption of SaaS subscriptions, as well as the development of your own modern business applications.

Note    In addition to the PHS or PTA features, the seamless single sign-on (SSO) feature currently in public preview as the time of this writing allows end-users to only need to type their username and not their password to sign in to Azure AD/Office 365 or other cloud apps and services when they are on their corporate machines and connected on the organization's corporate network. The seamless SSO feature leverages the Windows Integrated Authentication (WIA) capabilities and the Kerberos protocol. For more information, see article What is Single Sign On (SSO) (preview).

Modern business applications live in an environment that includes a broad spectrum of mobile and native clients, server to server communication, and web APIs, in addition to traditional browser-and-website interactions. Thus, to address all the scenarios introduced by these applications, Azure AD, as a next generation authentication platform, is designed to address these new requirements through standard and modern http/REST protocols such as OpenID Connect, OAuth 2.0, and OData, in addition to SAML 2.0, WS-Federation, and WS-Trust.

Note    The OpenID Foundation has recently launched a certification program for OpenID Connect implementations. For more information, see the article The OpenID Foundation Launches OpenID Connect Certification Program. Azure AD has successfully passed the certification and is certified as an OpenID Connect identity provider.

Having an OpenID Connect certification program provides confidence that certified implementations will "just work" together. This represents another important step on the road to widely-available secure interoperable digital identity for all the devices and applications that people use. Microsoft is proud to be a key contributor to the development of OpenID Connect and now of its certification program.

Azure AD works with any modern browser running on a laptop, tablet or mobile device and can be easily integrated into applications running on a multitude of platforms from Microsoft and 3rd parties.

Conversely, if you are a cloud ISV, you can leverage Azure AD to reach a vast user population, which includes the ever-growing user base of the Office 365.

Leveraging the Azure AD offerings

Azure AD is the directory behind Microsoft Online Services subscriptions like Office 365, Dynamics 365, Intune, etc. and is used to store user identities and other tenant properties. Just like the on-premises AD stores the information for Exchange, SharePoint, Lync and your custom LOB Apps, Azure AD for instance stores the information for Exchange Online, SharePoint Online, Lync Online and any custom applications build in the Microsoft's cloud.

Azure AD is available in four different editions to choose from:

  • Azure AD (Free). With the Free edition of Azure AD, you can manage user accounts, synchronize with on-premises directories, and get single sign-on across Azure, Office 365, Dynamics 365, etc. and thousands of popular SaaS pre-integrated applications like Salesforce, Workday, Concur, DocuSign, Google Apps, Box, ServiceNow, Dropbox, and more, without speaking for your own applications.

Note    This is a free edition as being used by the above Microsoft Online Services subscriptions such as Office 365 in the context of this paper. If you've already subscribed to a paid Office 365 subscription, you can benefit from an Azure $0 subscription that you can use to access the Azure portal with your existing Office 365 subscription to directly manage the related Azure AD tenant; to do so you can sign-up for this $0 subscription by following the link https://account.windowsazure.com/PremiumOffer/Index?offer=MS-AZR-0110P&whr=azure.com.

Note    Independently of any Microsoft Online Services subscriptions, you can sign-up for your free Windows AD tenant and trial Azure account by following the link https://account.windowsazure.com/signup?offer=MS-AZR-0044P.

  • Azure AD Basic. Azure AD Basic provides the application access and self-service identity management requirements of task workers with cloud-first needs. With the Basic edition of Azure AD, you get all the capabilities that Azure AD Free plus group-based access management, self-Service password reset for cloud applications, customizable environment for launching enterprise and consumer cloud applications, and an enterprise-level SLA of 99.9 percent uptime.

Note    For more information, see blog post Azure Active Directory Basic is now GA!.

  • Azure AD Premium P1. The previously existing Azure AD Premium has become Azure AD Premium P1, with no change for existing customers. With the Premium P1 edition of Azure AD, you get all of the capabilities that Azure AD Free and Azure AD Basic have to offer, plus additional feature-rich enterprise-level identity management capabilities.
  • Azure AD Premium P2. This new offering includes all the capabilities in Azure AD Premium P1 as well as our new Identity Protection and Privileged Identity Management capabilities.

Note    To sign up and start using the Premium editions, see article What is Microsoft Azure Active Directory licensing?.

Note    For a description of each edition below and a comparison table, see article Azure Active Directory editions. For more information on usage model, see article Azure Active Directory Pricing. For information on the usage constraints and other service limits for the Azure AD service per edition, see article Azure subscription and service limits, quotas, and constraints.

The above editions are part of the Microsoft Enterprise Mobility + Security (EMS) (formerly Enterprise Mobility Suite) E3 respectively E5 offerings, which represents comprehensive and cost effective solutions for enterprise mobility needs.

Note     For more information on the EMS offerings, see blog post Introducing Enterprise Mobility + Security.

Note    The EMS offerings are not only available with an Enterprise Agreement (EA) but also through the Microsoft's Cloud Solution Provider (CSP) and Open programs. For more information, see the blog post Azure AD and Enterprise Mobility Suite now available without an Enterprise Agreement.

Furthermore, global administrators of a Azure AD (Premium) tenant can optionally choose to enable the Multi-Factor Authentication support in Azure AD Premium P1 and Azure AD Premium P2 editions to require theirs employees to use a second-form of authentication when logging into the Cloud based and SaaS applications declared in the directory tenant (e.g. a mobile phone app, an automated phone call, or text message challenge) to enable even more secure identity access, and to protect the organization's identity data in the cloud.

Interestingly enough, the Multi-Factor Authentication service composes really nice with the SaaS support you can literally set up secure support for any pre-integrated SaaS application (complete with multi-factor authentication support) to your entire organization within minutes.

Note    Multi-Factor Authentication for Office 365 helps secure access to Office 365 applications at no additional cost.

The above offerings largely target the identity management (IDM) of employees and their devices to access the organization's resources.

Extending Azure AD for external identities

One of the new capabilities we are engineering in Azure AD is the ability to extend an organization's IDM services for business-to-employees (B2E) to encompass all the people who interact with its applications and resources accessible online, but who are not directly members of the organization itself.

We will refer to these people as "external identities". Since consumers and partners are chief amongst them, we are introducing two new Azure AD IDaaS capabilities/offerings for addressing them:

  1. Azure AD B2B collaboration feature currently in public preview for helping secure business-to-business (B2B) collaboration with the partner organizations that you work with every day.
  2. And a new service for business-to-consumer (B2C) for individual consumer with Azure AD B2C in GA in North America, and in public preview elsewhere. As Gartner says in the aforementioned research document, "B2C use cases have grown in importance as organizations look to replace a mixture of custom-developed IAM products and traditional on-premises IAM products".

Note    The word "consumer" is used here to refer to the ultimate consumer, customer, client, citizen, retiree, or a supporter of a business, government or charity, someone who is acting as an individual, and not as a representative of an organization.

While much of the technology of Azure AD must remain the same (e.g. directory), the IDM of employees, the IDM of business partners, and the IDM of the individual consumers have all many different requirements – thus the need for technologies that interact but are honed to specific problems. To master these requirements, Microsoft has worked closely with a number of customers in private previews. Some of the private preview deployments are already fully in production.

Azure AD B2B collaboration helps improve security while simplifying the management of partner access to resources, including SaaS applications such as Office 365, Salesforce, Dropbox, Workday, etc., and other mobile, cloud, and on-premises claims-aware applications. An email-verified process allows partners of all sizes, with or without an existing Azure AD subscription, to manage their accounts and get single sign on (SSO) access to the line-of-business (LOB) applications you provide. This improves security as users lose access when they leave the partner organization, while you control access policies within your organization. This also simplifies administration as you don't need to manage an external partner directory or per partner federation relationships. These capabilities can be used with on the available Azure AD editions, and as part of the Microsoft Enterprise Mobility + Security (EMS).

Azure AD B2C is a new comprehensive, cloud-based, consumer identity and access management solution currently for your consumer-facing applications, that can be integrated in any platform, and accessible from any device. Azure AD B2C is a highly available global service that can support hundreds of millions of consumer identities. Azure AD B2C gives individual consumer a choice between "Bringing their own Identities" (BYOI) by using one of their existing social accounts, such as Facebook, Google+, Amazon, or LinkedIn or Microsoft Account), or creating a new local account (arbitrary email address / username with password).

All the above offerings and options allow to accommodate many different requirements – thus the need for B2B and B2C technologies that interact but are honed to specific problems. In fact, Azure AD, Azure AD B2B collaboration and Azure AD B2C can be thought of as a continuum, so approaches need to be able to be mixed and deployed flexibly.

Going beyond

Azure AD is a comprehensive identity and access management cloud solution, utilizing the enterprise-grade quality and proven capabilities of AD on-premises. It combines core directory services, advanced identity governance, security and application access management.

It offers capabilities that can be leveraged to centralize the identity management needs of your solutions, and SaaS subscriptions, whether they are cloud-based, hybrid, or even on-premises. Azure AD is a complete offering that can help you to take advantage of your on-premises existing investment, to fully outsource to the cloud your users (and devices) management and anything in between. For enterprises with more demanding needs an advanced offering, Azure AD Basic, Azure AD Premium P1, and Azure AD Premium P2 help complete the set of capabilities that this identity and access management solution delivers.

As part of the same series of documents on Azure AD available on the Microsoft Download Center, the whitepaper An overview of Azure Active Directory further presents these three editions (i.e. Free, Basic, and Premium) of Azure AD.

In addition, the whitepaper Introducing Azure Active Directory B2B presents the new feature Azure AD B2B collaboration that can be used with on the above editions to embrace identity management (IDM) of partner and supply chains, and manage Business-to-Business collaboration.

Similarly, the whitepaper An overview of Azure Active Directory B2C presents the new service for Business-to-Consumer: Azure AD B2C to embrace identity management (IDM) of individual consumers.

The whitepaper Azure AD & Windows 10: Better Together for Work or School introduces how Windows 10 Pro, Windows 10 Enterprise editions, and Windows 10 Education will enable a device to connect to your Azure AD tenancy to seamlessly access SaaS applications in the cloud and traditional applications on-premises, and all of that without needing the traditional WSAD domains on-premises if you want to. It depicts the related experiences whether you are cloud-only, hybrid or have an on-premises AD infrastructure as well as how to enable them.

The whitepaper Azure AD/Office 365 seamless sign-in in seven parts (Part 1, Part 2, Part 3, Part 4/Part 4bis, Part 5, Part 6, and Part 7) provides an understanding of:

  • The different seamless sign-in deployment options with Azure AD/Office 365: password hash synchronization (PHS), pass-through authentication (PTA), (federated cross-domain) single sign-on (SSO), seamless SSO with PHS or PTA.
  • How to enable it using corporate Active Directory credentials to Azure AD/Office 365.
  • The different configuration elements to be aware of for such deployment options.
  • And instrumented end-to-end walkthroughs to setup an Azure-based lab environment in Azure Resource Manager (ARM) to further familiarize yourself with both the installation and configuration of the related infrastructure depending on the chosen option.

This whitepaper now supersedes the previously available whitepaper Azure AD/Office 365 single sign-on with AD FS in Windows Server 2012 R2 in two parts (Part 1 and Part 2/Part 2bis) that now should be considered as deprecated in this series of documents and will be retired in a near future: some other whitepapers still have a dependency on it.

Likewise, the whitepaper Azure AD/Office 365 single sign-on with Shibboleth 2 provides an understanding of how to enable single sign-on using corporate LDAP-based directory credentials and Shibboleth 2 with the SAML 2.0 protocol to Azure AD/Office 365, and the different configuration elements to be aware of for such deployment. It also provides an end-to-end walkthrough of the related setup and configuration.

The whitepaper Leverage Multi-Factor Authentication with Azure AD covers the Azure Multi-Factor Authentication paid offering and how to leverage it with Azure AD (Premium P1 and Premium P2).

As an addition to the aforementioned whitepaper Leverage Azure Multi-Factor Authentication with Azure AD, and for an organization that is federated with Azure AD, the whitepaper Leverage Multi-Factor Authentication Server for Azure AD single sign-on with AD FS aims at describing how to use Azure Multi-Factor Authentication Server and to configure it to secure cloud resources such as Office 365 so that so that federated users will be prompted to set up additional verification the next time they sign in on-premises. In order not to "reinvent the wheels", this document leverages the instrumented Azure Service Manager (ASM) based walkthrough provided in the Part 2bis of the above (deprecated) whitepaper Azure AD/Office 365 Single Sign-On with AD FS in Windows Server 2012 R2. A new version will be available soon to leverage the ARM based configuration of the whitepaper Azure AD/Office 365 Seamless Sign-in in lieu of the above classic ASM based one.

Finally, Azure AD also offers to developers and cloud ISVs an identity management platform to deliver access control to their modern business applications, based on centralized policy and rules. The whitepaper Leverage Azure AD for modern Business Applications further presents the aspects that relates to the development of solutions with the current app model and the next generation one's with the app model v2.0 in preview.