Channeling the Cloud

Windows Azure Active Directory: Taking AD Deeper into the Cloud

Active Directory took its first step into the cloud with Office 365, but Microsoft is upping the ante with free access control in the forthcoming Windows Azure Active Directory.

• By Jeffrey Schwartz
• January 31, 2013

A vast majority of organizations have long relied on Microsoft Active Directory for single sign-on authentication and authorization to key internal resources. While AD isn't an endangered species, it's changing with the rapid growth of cloud services and Bring Your Own Device (BYOD) policies that require customers to provide access to employee-owned PCs, tablets and smartphones.

AD made its move to the cloud in 2011 with the launch of Office 365, when Microsoft permitted customers to federate their AD domains to services. Now user AD credentials can be found in other Microsoft cloud offerings including the online versions of its Dynamics applications and Windows Intune.

The next step for the cloud migration of AD is to move to the Microsoft Windows Azure service. In beta now, Microsoft recently said it will offer access control in Windows Azure Active Directory (WAAD) free of charge upon release.

"If you're building a service in Windows Azure, you can create your own tenant in Azure and create users and we let you manage those users, who can be connected to your cloud services," Uday Hegde, principal group program manager for Active Directory at Microsoft, told RCP last month. Furthermore, Hegde said Windows Server customers running AD on-premises can connect to WAAD and avail themselves of all its features.

Microsoft is betting its large customer base running AD will propagate it to WAAD. It stands to reason that those who move Windows Server applications to Windows Azure or build new ones will provide authentication services through WAAD.

But will WAAD provide the means of single sign-on and authentication in the cloud that AD delivers in the datacenter today? There's a lot of money betting against that. There are a number of players offering cloud-based Identity Management as a Service (IDMaaS) solutions, which leverage AD and WAAD to provide single sign-on to other resources such as Software as a Service (SaaS) offerings from Google, Salesforce.com and Workday, among hundreds more.

Among those providers are Centrify, Ping Identity, Okta and Symplified. Just last month, Okta received a cash infusion of $25 million in Series C funding led by Sequoia Capital, bringing the total amount it has raised to $52 million.

Okta, like many of its rivals, is using AD and WAAD APIs to enable single sign-on to SaaS and traditional apps. "A CIO wants to have one single identity system that connects them to these different applications," says Okta VP Eric Berg.

Centrify, which just launched its new DirectControl for SaaS, authenticates users via its AD credentials to access SaaS solutions. Like Okta, Centrify's cloud-based identity service doesn't aim to compete with WAAD, but to connect to it. "Our cloud offering is in effect an identity bridge to a customer's Active Directory," says Centrify CEO Tom Kemp.

As SaaS and BYOD become more pervasive, these and other third-party IDMaaS gateways will help bridge AD to these solutions, but don't appear likely to obviate it.

More Columns by Jeff Schwartz:

• Microsoft Pushes 'Cloud-First' Approach with SharePoint 2013
• Windows 8 and Office 2013 Bring Skydrive to the Fore
• Column Archive