Everyone knows by now that Microsoft is getting into the cloud business. But for a long time one of the biggest obstacles to corporate customers joining Microsoft on that move was the lack of an identity management platform that could span the boundary between cloud provider and enterprise.
Organizations have spent gobs of budget over the years getting single sign-on (SSO) and single-pane-of-glass identity management working within the walls of their businesses, and they're in no hurry to have to create a separate set of cloud-only credentials for their users.
Enter Windows Azure Active Directory, the cloud version of Microsoft's highly successful directory service that has been a part of Windows Server for years.
There are three major parts of the Windows Azure Active Directory (WAAD) service:
- First, developers can connect to a REST-based Web service to create, read, update and delete identity information in the cloud for use right within their applications. They can also leverage the SSO abilities of Windows Azure Active Directory to permit individuals to use the same identity credentials used by Office 365, Dynamics CRM, Windows Intune and other Microsoft cloud products.
- Second, the developer preview allows companies to synchronize their on-premises directory information with WAAD and support certain identity federation scenarios as well.
- Finally, the recently released developer preview supports integration of WAAD with consumer identity networks like Facebook and Google, making for one less ID necessary to integrate identity information with apps and services.
Let's take a look at WAAD as it stands now in developer preview form, what we can expect from it and what we still don't know about the code.
How Windows Azure Active Directory works
In this early stage, WAAD is hosted by Microsoft in its data centers and is used largely by Office 365, the vendor's cloud Office suite. Information about users, groups and services that are part of the Office 365 offering are stored in a cloud-based AD instance that lives as a tenant on Microsoft's services.
For now, that's pretty much the only way to get started with exploring and testing WAAD, since currently there isn't a front end to generate just a directory instance. Even the Microsoft documentation will tell you to sign up for a trial of Office 365 to get started.
Microsoft says that in the future, you'll be able to bring up an instance of WAAD as part of your overall Azure subscription, but for now, Office 365 is the entry point.
What's in the WAAD cloud
Assuming you access WAAD via Office 365 and continue along with that experience, you'll find that the cloud directory instance is made up of the following discrete types of information:
- Users: Information about people, passwords, the security policies for those passwords and other related data.
- Groups: Security groups and distribution groups, like you're accustomed to in on-premises Active Directory.
- Role memberships: Information about which users belong to which roles. (Only users -- people, in other words -- can be members of roles; groups can't have roles.)
- Service principals: Any object that's not a person that is used to access objects in the directory. These could be computers, devices conference rooms, or anything else that isn't a specific user.
- Domains: Essentially a list of DNS domains that are connected to your cloud directory instance or Office 365 instance.
- Microsoft service-specific information: Items like subscription lists, licenses, service levels and more. These pieces don't really have a direct link to relevant administrative tasks and are included in the directory more for Microsoft's internal use.
Sign up for CIO Asia eNewsletters.