When you hear the words 'Azure Active Directory', you might mistakenly envision a hosted version of Microsoft's popular directory service.
Instead, Microsoft Azure AD is actually a web service that extends your on-prem Active Directory identities so they can be used to provision single sign-on to Azure services as well as a broad range of popular business-focused SaaS apps.
It works in concert with sync tools that pull data from your on-premises Active Directory. (Today that's the Wizard-style DirSync tool, but Microsoft has announced a successor called Azure Active Directory Sync (AAD Sync), available in preview as of June, which can support those with multiple Forests).
Once a user is provisioned, they either log in via the web (MyApps) or via a mobile app to enjoy one-click access to all the corporate-provisioned SaaS apps to which IT administrators have granted access.
It's a powerful idea: Microsoft delivers IT shops a means of managing 'shadow IT' using a directory service they are likely to have already invested in substantially. From a security and simplicity perspective, users never have to know the usernames and passwords of the myriad of SaaS apps the business offers access to, only their Active Directory credentials.
Microsoft is aiming to build the "world’s largest enterprise identity and access management cloud solution," as one proud Redmond engineer described it.
But like most Azure products, Azure AD has first been released for admins to play with well before it is fully baked for production use. Use of the service is also governed by a licensing construct typical of Microsoft's boxed software.
Let's take a look at where it's at so far:
The paid version of Azure AD offers organisations the ability to white-label and customise the log-in experience, which will tick a box for those organisations looking to offer users a corporate portal for access to SaaS apps.
Beyond these trimmings, one of the most basic functions of Azure AD is the managing of user identities, whether they are created in the Azure cloud or imported/synchronised with the on-premise Active Directory.
In the figure above we can see a view of all the devices a particular user has connected from using Azure AD credentials, which should give administrators a good idea of what systems they need to support from a BYOD perspective.
A premium subscription also enables admins to set up multi-factor authentication (as seen below). If user mobile phone numbers are stored in Active Directory and MFA is toggled on, users are prompted to choose between a phone call, text message or use of a mobile app to authenticate to the service.
Free users of Active AD can provision and apply single sign-on to a given application for individual users, but assigning apps to groups of users requires a premium subscription.
Further, the free version limits each user to a maximum of ten applications.
Microsoft's real masterstroke has been to use Azure AD as a means of providing single sign-on to hundreds of SaaS apps - some 1270 at the time of writing. Microsoft engineers that sat in on our review noted that by the end of the financial year, Microsoft expects to have integrated with the authentication APIs of some 2000 SaaS vendors.
Microsoft has also announced the build of a separate web service for the discovery of cloud apps, which attempts to go head-to-head with Sky High Software. These products scan your firewall traffic to generate reports on what SaaS applications users are subscribing to, whether or not they've been approved by IT. We'll review these two apps at a later date.
Azure AD connects to all the major providers of online business apps you might expect - Workday, Salesforce.com, ServiceNow etc. There are also a few surprises - Amazon Web Services and Google, among them.
Assigning an app to a user (see above) is fairly straightforward, but as mentioned, assigning an app to a group of users is a premium feature targeted at customers with large user bases and deeper pockets.
For any given app, administrators can configure single sign on and auto provisioning with a bit of back and forth between the Azure AD window and the SaaS provider's dashboard.
For the most part, we found it relatively painless thanks to Wizard-style instructions the Azure team has provided for each app.
Risk-conscious CIOs can choose for passwords to remain stored behind the corporate firewall using Active Directory Federation Services (AD FS). We expect that to be a popular option, despite the additional complexity.
If a user chooses to store the passwords in Azure, they have no control over where these details are stored, as Azure replicates data across three regions to offer enterprise users its 99.9 percent SLA.