Microsoft Unveils Azure AD Domain Services
- By Kurt Mackie
- October 16, 2015
Microsoft rolled out previews of its Azure Active Directory products this week, including the completely new "Azure AD Domain Services."
Released Wednesday, Azure AD Domain Services is aimed at organizations trying to leverage Microsoft's Azure Active Directory cloud-based authentication services with their on-premises Active Directory identity and access management infrastructures.
In addition, Microsoft also released previews of a few new Azure AD Application Proxy services.
Azure AD Domain Services
The new Azure AD Domain Services release, available as a preview, can be used to smooth over issues associated with the use of so-called "legacy apps" or applications that don't use authentication protocols such as SAML or OAuth 2.0. Getting those legacy apps authenticated via Microsoft's cloud services has sometimes required setting up expensive network connections. It's also been a time and resource drain since domain controllers run in virtual machines need to be patched and maintained, according to Microsoft's explanation.
Such scenarios get eased with the new Azure AD Domain Services, Microsoft is promising. The service works with premises-based AD environments and reduces patch burdens, according to Microsoft's announcement:
Azure AD Domain Services provides managed cloud based domain services such as domain join, group policy, LDAP & Kerberos/NTLM authentication in the Azure cloud that are fully compatible with Windows Server Active Directory. With these services, you get the full value of Windows Server AD in the cloud domain, without having to deploy, manage, monitor and patch domain controllers.
The service is available at the preview stage for all organizations that have Azure AD tenants. It's available for "Free, Basic and Premium" subscription plans. However, the preview of Azure AD Domain Services isn't free. It's currently billed at an hourly rate that's half the cost of the coming "general availability" price. Also, the Azure AD Domain Service is only available during the preview stage at the 5,001 to 25,000 objects tier, according to the announcement. This preview is also a bit delayed. A software glitch caused Microsoft to pull it earlier this week, but the company expects it to make it available again on Friday.
The new Azure AD Domain Services represents a "huge milestone" for the company, according to Alex Simons, director of program management for the Microsoft Identity Division. "After years of work, we've reached the point where Azure AD is now a super set of Windows Server AD," he claimed, adding that "it gives cloud forward companies the opportunity to go 'cloud only' while still getting all the benefits of Azure AD and Windows Server AD."
Organizations wholly connected to cloud services can use the service with existing passwords. Organizations that synchronize their local AD structures with Azure AD in the cloud need to force password synchronization using the latest Azure AD Connect solution, Microsoft's announcement explained.
Azure AD Application Proxy
The Azure AD Application Proxy releases include three new preview features, plus four features that are now commercially ready (at the "general availability" or GA stage, in Microsoft's nomenclature). The four GA features include "custom domain names, conditional access policies, and Intune NDES."
The three new preview features include Remote Desktop support, isolated network support and support for "non-Windows applications using Kerberos over SPNego," per Microsoft's announcement.
Remote Desktop Services is Microsoft's enabling solution for connecting devices in virtual desktop infrastructure scenarios, typically for remote workers. It now works with the Azure AD Application Proxy. The proxy service can be used as a way of not exposing the Remote Desktop Gateway directly to Internet traffic when authenticating devices.
The new isolated network support preview capability in Azure AD Application Proxy can be used to enable application access "across disparate datacenters," according to Microsoft. For instance, it enables access to applications housed on Amazon Web Services infrastructure or on other infrastructure-as-a-service provider networks. Another enabled capability is support for disaster recovery sites.
Lastly, Microsoft is previewing single sign-on support for non-Windows applications that authenticate using Kerberos over SPNEGO (Simple and Protected GSSAPI Negotiation Mechanism) via its Azure AD Application Proxy service. It's a functionality extension move. Microsoft is promising that "every application that supports SSO via Kerberos for on-prem domain joined browsers will now provide SSO to your employees authenticating with Azure AD."
If that weren't enough to consider, Microsoft plans to roll out a new Azure AD Application Proxy Connector "groups" capability. This capability will allow applications to be assigned to a connector group to facilitate "high-availability and load balancing," according to this Microsoft blog post. The new capability will be available at the preview stage "in the next couple of months."
Kurt Mackie is senior news producer for the 1105 Enterprise Computing Group.