News

Microsoft Readies Azure AD Connect for General Availability

Azure Active Directory Connect, Microsoft's wizard-like tool that aims to make it easier for organizations to connect their backend Active Directory (AD) environments with Microsoft's cloud-enabled Azure AD service, will be released commercially this month.

Using Azure AD Connect will theoretically open up mobile management scenarios for organizations planning to move to Windows 10. However, a lot of those mobile management capabilities are still pending at this point. They'll be available when Microsoft rolls out all of the dependent technologies.

Azure AD Connect is Microsoft's next-generation tool, currently at preview, that combines the functions of Microsoft's Directory Synchronization (DirSync) and Azure AD Sync Services tools. Azure AD Sync is the replacement for DirSync, but both tools are getting deprecated by Microsoft in favor of Azure AD Connect. Exactly which tool to use at this point can be a complex decision. Microsoft republished this TechNet guide, which offers some advice in that regard.

Windows 10 is expected to arrive commercially on July 29. Microsoft also has indicated that there will be a "fall" Windows 10 release (rumored to happen on "Oct. 1") on top of the July release. It seems that many of Windows 10's mobile management capabilities will arrive in the latter release period.

Microsoft previously acknowledged that many of its Azure AD capabilities for Windows 10 "will probably show up in Windows 10 in the fall rather than in the first release this summer," according to a May blog post. Possibly, the July 29 release date will be for the Windows 10 Home edition aimed at consumers, with enterprise Windows 10 capabilities arriving in the fall, but Microsoft hasn't been so specific.

Azure AD Connect Availability
Azure AD Connect was first released as a preview back in August, but it will hit "GA" ("general availability") sometime this month, according to Mahesh Unnikrishnan, a program manager on Microsoft's mobile device management team, in a blog post. Unnikrishnan briefly mentioned that GA detail amid a more general discussion of Windows 10 mobile management capabilities.

One nuance provided by Unnikrishnan is that the Azure AD Connect tool will be capable of syncing device compliance information. That capability can be used to support "conditional access," which is Microsoft's protection scheme for checking the compliance state of devices prior to granting access to corporate apps and data. Under this approach, IT departments can set conditional access policies prior to granting network access, such as assuring that the device is under management and not "jailbroken" before granting access to resources.

Here's how Unnikrishnan described Azure AD Connect aiding in that process:

Additionally, Azure AD Connect (which should GA in the next week or two) will soon sync device compliance information from Azure AD to your on-premises AD (requires Windows Server 2016). ADFS (Active Directory Federation Services) on Windows Server 2016 supports conditional access control based on a device's compliance state. Your IT administrator can configure conditional access control policies in ADFS that use the device's compliance state as reported by Intune to secure on-premises applications.

Another way to enable conditional access is to use Microsoft's Azure AD Proxy service, according to Unnikrishnan:

For on-premises applications that are published through the Azure AD Application Proxy, you can configure conditional access control policies similar to how you'd do so for cloud applications. For more details, refer to Alex's blog post from earlier this year.

The Azure AD Proxy service is a reverse-proxy authentication service that works by connecting an organization's Web apps and services with the Azure AD service. It's apparently still at the "preview" stage, though. If an organization uses the Azure AD Proxy service, it won't require a server upgrade to enable conditional access capabilities with Windows 10, according to Microsoft.

"Conditional access for cloud services or on-premise services that are published using the Azure AD App Proxy will not require a server update," a Microsoft spokesperson explained, via e-mail.

More To Come
Microsoft likely will explain more about its mobile management product dependencies and requirements for Windows 10 at a later date. Most of the descriptions so far have been at the high level, but the capabilities often center on using the Azure AD service, the Intune management service and having Microsoft's Enterprise Mobility Suite licensing in place.

Microsoft has described Windows 10 edition names, but not the capabilities associated with those editions. It's still unclear which mobile management capabilities will be available and when.

Some of the mobile management capabilities can't be tested yet. Unnikrishnan noted that's the case for an automatic mobile device management enrollment capability in Windows 10. "Automatic MDM enrollment with Azure AD and Intune will soon be available through the Windows 10 Technical Preview," Unnikrishnan noted.

In general, Unnikrishnan depicted Azure AD as a "control plane" for mobile management scenarios. The depiction echoes an Ignite session talk in May by Jairo Cadena of the Microsoft Azure AD team. Mobile management has been a big push at Microsoft and Azure Active Directory is being positioned as a kind of bridge to make it all work.

Microsoft recently touted its "visionary" designation by Gartner Inc. with regard to the enterprise mobility management solutions space. Gartner's "Magic Quadrant" publication picked VMware's AirWatch as the leader in that space. However, Microsoft still found a place in the rankings after being just one year in the market.

Gartner's report cautioned that the hybrid management solution combining System Center Configuration Manager with Intune lags behind using Intune as a "standalone" management solution. Gartner also noted that Intune was behind competing products with regard to "containerization and analytics features" in the enterprise mobility management space.

About the Author

Kurt Mackie is senior news producer for the 1105 Enterprise Computing Group.