What email address or phone number would you like to use to sign in to Docs.com?
If you already have an account that you use with Office or other Microsoft services, enter it here.
Or sign in with:
Signing in allows you to download and like content, and it provides the authors analytical data about your interactions with their content.
Embed code for: Active Directory from on-premises to the cloud
Select a size
Learn how identity works in a cloud world together with Active Directory, offering a seamless user authentication experience with services like Office 365.
Active Directory from on-premises to the cloud
Overview Technical Article
Published: December 2013 (Updated: January 2016)
Author: Philippe Beraud (Microsoft France)
For information on Active Directory, please see
For the latest information on Azure Active Directory, please see
Copyright © 2016
http://www.microsoft.comMicrosoft Corporation. All rights reserved.
Abstract: Identity management, provisioning, role management, and authentication are key services both on-premises and through the (hybrid) cloud. With the Bring Your Own Apps (BYOA) for the cloud and Software as a Service (SaaS) applications, the desire to better collaborate a la Facebook with the “social” enterprise, the need to support and integrate with social networks, which lead to a Bring Your Own Identity (BYOI) trend, identity becomes a service where identity “bridges” in the cloud talk to on-premises directories or the directories themselves move and/or are located in the cloud.
Active Directory (AD) is a Microsoft brand for identity related capabilities. In the on-premises world, AD provides a set of identity capabilities and services and is hugely popular (88% of Fortune 1000 and 95% of enterprises use AD). Azure Active Directory (Azure AD) is AD reimagined for the cloud, designed to solve for you the new identity and access challenges that come with the shift to a cloud-centric, multi-tenant world.
Azure AD can be truly seen as an Identity Management as a Service (IDaaS) cloud multi-tenant service. This goes far beyond taking AD and simply running it within a VM in Azure.
This document is intended for IT professionals, system architects, and developers who are interested in understanding the various options for managing and using identities in their (hybrid) cloud environment based on the AD foundation. AD, AD in Azure and Azure AD are indeed useful for slightly different scenarios.
Table of Contents
Understanding the role of Identity Management as a Service (IDaaS) 3
Fulfilling the on-premises or private cloud’s requirements 5
Extending AD to a Public Cloud 6
Extending AD to a Private Cloud 8
Taking on the challenges of the public cloud 9
Many applications, one identity repository 12
Delivering a seamless user authentication experience 14
Leveraging the Azure AD offerings 18
Extending Azure AD for external identities 20
Going beyond 22
Understanding the role of Identity Management as a Service (IDaaS)
As introduced and further discussed by the whitepaper Towards Identity as a Service (IDaaS) - Use cloud power to solve cloud era challenges, e.g. the introductory part of this series of documents part of the same series of documents available on the
http://www.microsoft.com/en-us/download/details.aspx?id=36391Microsoft Download Center, the cloud is changing the way in which applications are written.
Accelerated market cycles, multi-tenancy, pure cloud solutions and hybrid deployments, web programmability and the API economics, the rise of devices (smartphones, tablets, etc.) as well as rich clients as consumption models offer without any doubt new opportunities.
For consumers, social media is emerging as a key source of identity. Real world examples of this include organizations that have internet-centric business models. Consider music download sites such as Spotify that allow users to login using their Facebook identities make it far easier for users to sign up.
Furthermore, usage of social identities appears to be expanding into more conservative areas; for example, the UK government is evaluating Facebook as part of the Identity Assurance (IDA) program, a way of better enabling secure transactions between public sector bodies and citizens.
At the same time these changes present new challenges for the key services (both on-premises and in the cloud) that represent identity lifecycle management, provisioning, role management, authentication and security of users and devices requiring granular access. The net result is to propel identity to first rank of importance.
Key issues that require better identity capabilities include:
The “Bring Your Own Apps” (BYOA) for cloud and Software as-a-Service (SaaS) applications,
The desire to better collaborate a la Facebook within the “social” enterprise where organizations more and more expect to experience themselves as social networks,
The need to support and integrate with social networks, which lead to a “Bring Your Own Identity” (BYOI) trend,
The imperative of quickly becoming part of the API economy,
Identity becomes a service where identity “bridges” in the cloud “talk” to on-premises directories or the directories themselves move and/or are located in the cloud (see Gartner report
http://www.gartner.com/id=22214152013 Planning Guide: Identity and Privacy).
Identity, like compute, storage and networking, is an essential platform service. In the same way that identity played a critical role in the adoption of workgroup computing, identity services will play a critical role as organizations adopt the (hybrid) cloud, embracing and managing the “Bring Your Own Device” (BYOD) trend, and the API economy. Organizations (will) use cloud services and applications created by (cloud) ISVs, Platform-as-a-Service (PaaS) cloud platforms for (Line of Business (LOB)) custom development, (as well as Infrastructure-as-a-Service (IaaS) cloud environment for specific workloads to onboard the cloud for IT optimization reasons).
All of the above implies a new Identity Management model. This has to cut costs as well as deployment complexity – not increase them. Organizations need a specialized service that appropriately handles identity as well as security and privacy for them – with an increased level of specialization and professionalization adequate to emerging cyber threats. About the key understanding this leads to is how you get more capability for less money by leveraging cloud capabilities.
Kim Cameron, Microsoft Chief Identity Architect, is convinced that “organizations will find they need new identity management capabilities to take full advantage of the cloud. They will also find that the most reliable and cost-effective way to obtain these capabilities is through Identity Management as a Service – i.e. using the cloud to master the cloud.”
We can therefore predict with certainty that almost all organizations will subscribe to these identity (hybrid) services. Enterprises will use these services to manage authentication and authorization of internal employees. But in the outward looking world that is emerging so quickly it will be just as important to manage access to services by an organization’s supply chain, its customers (including individuals), its leads and prospects. Governments will use them when interacting with other government agencies, enterprises and citizens.
Identity Management as-a-Service (IDaaS), will directly attack these problems – simplifying life for government and enterprise service providers and their end users. Once again, by leveraging efficiencies of the cloud and automation to get efficiencies in identity, IDaaS can:
Offer ALL necessary high security and high privacy identity capabilities – while maintaining usability.
Provide a business centric portal for configuring identity services.
And finally cut costs.
These requirements and capabilities will drive almost all organizations to subscribe to identity services that are cheaper, broader in scope, more unifying and more capable than the systems of today.
Identity Management as-a-Service (IDaaS) will require that we move beyond the models of identity management that have guided our thinking to date. A new service-based model will emerge combining more advanced capabilities with externalization of operations to achieve reduction in risk, effort and cost. High end security capabilities will become utilities available even to the smallest organizations, resulting in a democratization of the safe Internet.
The next sections discuss in this context the Microsoft’s Identity Offerings in the hybrid era.
Fulfilling the on-premises or private cloud’s requirements
Microsoft has earned widespread adoption of its on-premises identity technology, a suite of capabilities packaged and branded as Windows Server Active Directory (WSAD). AD is used extensively by governments and enterprises world-wide. Its capabilities include:
Single Sign-On (SSO) and access control across a wide range of applications and resources.
Sharing of information between applications - for example, information about people, groups, reporting relationships, roles, contact information, printer locations, and service addresses.
Information protection that enables encryption and controlled access to documents.
Discovery of computers, printers, files, applications, and other resources.
Tools to manage users, groups, and roles; reset passwords; and configure and distribute cryptographic keys, certificates, access policies, and device settings.
Although referred to as “a directory” AD includes a wide gamut of identity services that implement (and have helped drive adoption of) many important standards. These include:
Active Directory Domain Services (AD DS) Directory identity store (which natively uses LDAP).
Kerberos Network Authentication Service (RFC 1510, RFC 4120, etc.).
Active Directory Certificates Services (AD CS) – X.509, PKIX, etc.
Active Directory Federation Services (AD FS) - Federation technologies such as WS-Federation and SAML 2.0.
Active Directory Lightweight Directory Services (AD LDS) Directory identity/application store (LDAP).
Related products like Microsoft Forefront Identity Manager (FIM) perform rule-based synchronization with many other identity stores:
Office 365, DSML, DB2, Tivoli, LDIF, Lotus, E-Directory, Oracle Database, SQL Server, Sun Directory Server 6.x, SAP, Oracle PeopleSoft, MySQL, and many others.
FIM also provides advanced self-management capabilities based on work flows; and rule-based smart card management.
AD is used extensively by governments and enterprises world-wide. AD is widely deployed in the Global 5000 today as their authoritative identity and access management system as well as in small and medium enterprises and we will not describe it further here.
The important new information here is that to meet the requirements of hybrid deployment AD can be extended into public clouds and/or into private clouds.
Extending AD to a Public Cloud
Azure Active Directory (Azure AD) has been designed to easily extend AD (in whole or in part) into the public Azure cloud as a directory whose content is owned and controlled by the organization providing the information.
This will be described in the next section.
In addition, for compatibility with existing on-premises applications, it is possible to install WSAD domain controllers (DCs) within Azure data centers where they can service requests from Azure applications running there in the Infrastructure Services.
As a broad usage workload type, WSAD DCs can be deployed either standalone or as part of a larger application, with or without on-premises connectivity (to the organization’s identity infrastructure).
Note Azure AD Domain Services, a cloud based service currently in public preview gives you a fully WSAD compatible set of API's and protocols, delivered as a managed Azure service. In other words, thanks to this new concept, you can now turn on support for all the critical directory capabilities your application and server VM's need, including Kerberos, NTLM, Group Policy and LDAP. For more information, see the blog post
http://blogs.technet.com/b/ad/archive/2015/10/14/azure-ad-domain-services-is-now-in-public-preview-use-azure-ad-as-a-cloud-based-domain-controller.aspxAzure AD Domain Services is now in Public Preview – Use Azure AD as a cloud domain controller!.
http://azure.microsoft.com/en-us/services/virtual-machines/Azure Virtual Machines help moving (part of) your business, applications and infrastructure to the cloud without changing existing code in their own unique way, at their own unique speed.
As its name clearly indicates, Azure Virtual Machines provides support for virtual machines (VMs) provisioned from the cloud. At a glance, a VM consists of a piece of infrastructure available to deploy an operating system and an application. Specifically, this includes a persistent operating system (OS) disk, possibly some persistent data disks, and internal/external networking “glue”/connectivity to hold it all together. With these infrastructure ingredients, it enables the creation of a platform where you can take advantage of the reduced cost and ease of deployment offered by Azure.
VMs indeed give you application mobility, allowing you to move your virtual hard disks (VHDs) back and forth between on-premises and the cloud.This enables you to migrate your existing VM, to bring your own customized Windows Server or Linux images, etc. As a common virtualization file format, VHD has been adopted by hundreds of vendors and is a
http://go.microsoft.com/fwlink/p/?linkid=137171freely available specification covered under the
http://www.microsoft.com/openspecifications/en/us/programs/osp/default.aspxMicrosoft Open Specification Promise (OSP). The new version
http://www.microsoft.com/en-us/download/details.aspx?id=34750VHDX is also available as a free specification covered under the OSP.
While “migration” is a simple goal for any IaaS offering, the ultimate objective consists in being able to run the exact same on-premises applications and infrastructure or part of them in the cloud and thus enabling onboarding and off-boarding of workloads in order to improve the agility of the organization, i.e. its ability to capitalize on new opportunities and respond to changes in business demands.
Such a process might involve transferring an entire multi-VM workload, which may require virtual networks for hybrid connectivity to an on-premises deployment. (This can be seen as a cross-premises deployment.)
This is where
https://www.windowsazure.com/en-us/services/virtual-network/Azure Virtual Networks come into play. Azure Virtual Networks let you provision and manage virtual networks (VNET) in Azure. A VNET provides the ability to create a logical boundary and place VMs inside it. VNET also provides the capability of connecting
http://www.windowsazure.com/en-us/home/scenarios/cloud-services/Azure Cloud Services (VMs, web roles, and worker roles).
Azure Virtual Network provides control over the network topology, including configuration of IP addresses, routing tables and security policies. A VNET has its own private address space. The address space is IPv4 only (but could be extended to IPv6 in a future release).
Note Azure Virtual Network also allows to securely extend on-premises networks into the cloud. With the ability to assign a private address range for its VNET, you can indeed treat it as an extension of your own corporate private network address space by establishing appropriate gates (VPN gateway) between your on-premises corporate private network and virtual network(s) in Microsoft Azure.
For that purpose, Azure Virtual Network enables to set up secure site-to-site connectivity between the organization’s corporate VPN gateway and Azure, and then to connect the organization’s on-premises corporate network to the organization’s Azure tenant by using a VPN gateway along with the industry-standard IPsec protocol.
With such a capability, IT administrators can easily create a logically isolated private environment in Azure, and connect it to the organization’s on-premises IT infrastructure by using a secure VPN tunnel. Once set up, the isolated Azure environment can be viewed as a natural extension of the on-premises corporate network.
To synthetize, Azure Virtual Network allows you to create private network(s) of VMs in your Azure tenant environment that you can assign IP addresses to (and then optionally connect to your data center through a VPN gateway). Using this method, you can seamlessly connect on-premises (virtual) machines to VMs running in your Azure tenant.
The above capabilities enable the support of three typical key Microsoft workloads to deploy in the cloud:
Active Directory. A hybrid identity solution with extensive networking expectations.
SQL Server. A database workload with expectations for exceptional disk performance.
SharePoint Server. A large-scale, multi-tier application with a load-balanced front-end. Moreover, SharePoint Server deployments include Active Directory and SQL Server.
These broad workload types can be deployed either standalone or as part of a larger application, with or without on-premises connectivity.
In the specific context of this paper, Azure Virtual Machines and Azure Virtual Network enable AD in Azure a reality of today.
The fundamental requirements for deploying AD on VM(s) in Azure differ very little from deploying it in VMs (and, to some extent, physical machines) on-premises. For example, if the domains controllers that you deploy on VMs are replicas in an existing on-premises corporate domain/forest, then the Azure deployment can largely be treated in the same way as you might treat any other additional AD site. That is, subnets must be defined in AD, a site created, the subnets linked to that site, and connected to other sites using appropriate site-links. There are, however, a number of differences that are common to all Azure deployments and some that vary according to the specific deployment scenario.
http://www.windowsazure.com/en-us/manage/services/networking/active-directory-forest/Install a new Active Directory forest on an Azure virtual network and
http://msdn.microsoft.com/library/azure/jj156090Guidelines for Deploying Windows Server Active Directory on Azure Virtual Machines cover the fundamental differences and explained in great detail how successfully deploy and operate AD in Azure. The former deals with a standalone configuration in the cloud whereas the latter highlights the requirements for deploying AD in a hybrid scenario in which AD is partly deployed on-premises and partly deployed on VMs in Azure.
Whatever the scenario is, and as you understand, AD in Azure simply means AD running in your VMs in your Azure tenant for the best compatibility with existing applications and for hybrid applications.
AD in Azure is NOT Azure AD, a REST-based service that provides identity management and access control capabilities for modern business applications.
Extending AD to a Private Cloud
AD can also be deployed as the backbone of a private cloud run in any data center chosen by the organization deploying it.
This private cloud backbone can be tightly connected as an integral part of the organization’s on-premises AD or be loosely coupled (through MIM synchronization for example).
Taking on the challenges of the public cloud
Azure AD is Microsoft’s vehicle for providing IDaaS capabilities in a public cloud. Microsoft’s approach to IDaaS is deeply grounded in – and extends – the proven concepts of on-premises AD.
The foundational concept of on-premises AD is that the content of the directory is the property of the organization deploying it and access to and use of that content is completely under the organization’s control. This is also the fundamental concept behind Azure AD.
Azure AD is NOT a monolithic directory of information belonging to Microsoft, but rather, at the time of writing, more than three million different directories belonging to and completely controlled by different organizations.
This architecture and commitment is called “multi-tenant” and great care has been provided to insulate tenants (organizations) from each other and from their service operator – Microsoft.
Furthermore, when efforts to create a new cloud based Identity Management as a Service (IDaaS) platform on Azure started a few years ago, Microsoft knew the world had changed (or was about to changed). To help you successfully bridge into the modern world of devices and cloud services, we were going to have to do a lot of things differently:
We were going to need to create new company directories in under a minute.
We were going to need to scale to millions of companies with billions of users. This is already the case for companies.
We were going to have to deliver rock solid reliability and assure that even when a datacenter went down, the Azure AD service wouldn't go down.
We were going to have to modernize our device support going beyond the PC and other Microsoft devices to support a diverse world of smartphones and tablets.
We were going to need to base our system on modern internet standards and protocols like OAuth 2.0, OpenID Connect, SCIM, and OData beyond the support of SAML 2.0, WS-Federation, and WS-Trust.
We were going to need to federate with popular on-premises enterprise federation servers from various vendors or open source communities along with consumer IDP's like Microsoft Account, Facebook, Google, Yahoo.
We were going to need to build a system that respected user privacy, company data ownership and geo-political data sovereignty laws.
We were going to need to provide world-class support developers and IT personnel working with non-Microsoft platforms.
We were going to have to make getting a directory friction free so that every company in the world could benefit from the power of an enterprise directory without requiring a cross-company planning and deployment team.
Taking all of the above as a starting point, we have re-engineered AD , to support massive scale, devices based on any operating system or architecture,
http://www.microsoft.com/en-us/server-cloud/cloud-os/modern-business-apps.aspxmodern business applications, modern protocols, high availability, and integrated disaster recovery.
Since we first talked about it in November 2011, Azure AD has shown itself to be a robust identity and access management service for Microsoft cloud services like Office 365, Dynamics CRM Online, Intune and Azure to store user identities and other tenant properties. A number of people are (still) surprised to find out that every Office 365 customer already has an Azure AD directory.
Moreover, Azure AD is available for use by organizations who have applications running on any cloud platform or on-premises, and is offered as a service on the Azure Cloud platform (see below). Tenants can control the geographical region or regions (US, Europe, Asia, and China) in which their data resides.
Since its introduction, Azure AD "has handled 400 billion identity authentications in Azure AD". "We have 350 million Azure Active Directory users. […] We actually process 4 billion, with a B, authentications every week with Azure Active Directory". This is a real testament to the level of scale we can handle. “At a high level, Azure AD is a high availability, geo-redundant, multi-tenanted, multi-tiered cloud service that has delivered 99.99% uptime for over a year now. We run it across 28 datacenters around the world. Azure AD has stateless gateways, front end servers, application servers, and sync servers in all of those data centers. Azure AD also has a distributed data tier that is at the heart of our high availability strategy. Our data tier holds more than 500 million objects and is running across 13 data centers.”
No other cloud directory offers this level of enterprise reliability or proven scale. Quoting from the report
http://news.microsoft.com/itanalyst/docs/06-20-14CompassCloudUser.pdfKuppingerCole Leadership Compass Cloud User and Access Management: "Looking at the Market Leadership chart, we see Microsoft being the clear leader. This is based on the fact that their Azure Active Directory on one hand shows good direct acceptance and on the other builds the foundation for widely used Microsoft Office 365. Furthermore, Microsoft has an exceptionally strong partner ecosystem."
Last year, Gartner in their Magic Quadrant (MQ) for Identity Management as a Service (IDaaS) [Gartner, June 2015] has placed Azure AD after its only first year of availability in the “Visionaries” MQ. As of this writing, Gartner has just released their MQ for IDaaS for 2016 [Gartner June 2016] and Azure AD Premium has been placed in the “Leaders” quadrant, and positioned very strongly for our completeness of vision.
Important note The above graphic was published by Gartner, Inc. as part of the larger research document - a complimentary access is provided
https://info.microsoft.com/EMS-IDaaS-MQ-2016.htmlhere- and should be evaluated in the context of the entire document. Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner's research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.
As Alex Simons, Director of Program Management, Microsoft Identity and Security Services Division, says, “we’re thrilled with the result. It really validates our vision of providing a complete solution for hybrid identity and access for supporting employees, partners and customers all backed by world class security based on Microsoft’s intelligent security graph. This result says a lot about our commitment in the identity and access management space but more importantly about our customers, implementation partners and ISV partners who have worked together with us. They have been awesome about sharing their time and energy every day, to make sure that the products and services we build meet their needs and are helping them position their companies to thrive in the emerging world of cloud and devices.
You might be surprised to know that Microsoft also is the only vendor in the Leader quadrant across Gartner’s Magic Quadrants for IDaaS, Cloud Infrastructure as a Service (IaaS), Server Virtualization, Application Platform as a Service, Cloud Storage Services, and as a leader across the data platform and productivity services. This really shows you why customers are choosing Microsoft across the full spectrum of cloud computing – our services are well integrated and also among the best available in their individual categories.
Our effort doesn’t stop here. We have a lot of hard work ahead of us and we are planning to deliver more innovative capabilities to further improve our position in the “leaders” quadrant.”
Note For more information on the available Azure AD editions, see later in this document and/or the MSDN article
http://msdn.microsoft.com/en-us/library/azure/dn532272.aspxAzure Active Directory editions. For more information on usage model, see the Microsoft MSDN article
http://www.windowsazure.com/en-us/pricing/details/active-directory/Azure Active Directory Pricing.
Many applications, one identity repository
As a cloud based directory being optimized to support modern business applications and consequently modern protocols based on http/REST, Azure AD makes it easy at either regional or global scale to:
Provision users and registers device, and manage them and their lifecycle via a RESTful web API, the
Deliver a (federated) single sign-on experience for:
(cloud-based) web applications and web APIs on Azure or in other clouds such Amazon Web Services (AWS),
Mobile and native applications (with or without a back-end in the cloud like the one proposed through the
http://azure.microsoft.com/en-us/services/mobile-services/Azure Mobile Apps).
Note Using the Azure AD support, mobile business applications can use the same easy Mobile Services authentication experience to allow employees to sign into their mobile applications with their corporate Active Directory credentials. With this feature, Azure AD is supported as an identity provider in Mobile Services alongside with the other identity providers we already support (which include Microsoft Accounts, Facebook ID, Google ID, and Twitter ID).
Microsoft services like Office 365 , Dynamics CRM Online, and Intune, as well as 3rd party pre-integrated SaaS applications thus eliminating the need for multiple usernames and passwords and limiting helpdesk calls and password resets.
Note To make the configuration even easier,
http://azure.microsoft.com/en-us/marketplace/active-directory/thousands of cloud SaaS pre-integrated applications like ADP, Concur, Google Apps, Salesforce.com and others, regardless of the public Cloud they are hosted on, are preconfigured via an application gallery with all the parameters needed to federate with them, thanks to the
http://technet.microsoft.com/en-us/library/dn308588.aspxApplication Access Enhancements for Azure AD.
Single sign-on is the ability for a user to login in once and not have to re-enter their credentials each time when accessing different applications, APIs, or clouds. This represents an important part of Azure AD because it delivers a secure, yet simple and seamless way for users to connect to their resources running somewhere in the cloud.
Manage user’s conditional access control to (cloud-based) web applications, web API, Microsoft cloud services, 3rd party SaaS applications, and native (mobile) client applications, and have the benefits of security, auditing, reporting all in one place.
Connect (cloud-based) web applications, web APIs, Microsoft cloud services, 3rd party SaaS pre-integrated applications, and native (mobile) client applications to the directory (tenant) through the use of REST/HTTP interfaces and to fully leverage the enterprise graph represented by the directory tenant.
Note The approach of using standard REST interfaces to operate over a graph containing entities (nodes) and relationships (arcs) between entities - often referred to as a graph interface - is very common on the Internet nowadays. For more information on networks and graphs, we advise you reading the book entitled
http://www.cambridge.org/gb/knowledge/isbn/item2705443Networks, Crowds, and Markets: Reasoning About a Highly Connected World published by Cambridge University Press.
Revoke access to (cloud-based) web applications, web APIs, Microsoft cloud services, 3rd party SaaS applications, and native (mobile) client applications when an employee leaves the organization or changes jobs.
Manage federation and access to cloud facing services for partners and customers.
Interestingly enough, you can extend the above same experience to your on-premises applications as well, because increasingly you’re managing both on-premises as well as cloud-based applications. With
https://msdn.microsoft.com/en-us/library/azure/dn768219.aspxAzure AD Application Proxy, a feature of Azure AD Premium edition, you can indeed actually bring those on-premises traditional applications such as a
http://msdn.microsoft.com/en-us/library/azure/dn879794.aspxSharePoint site right into Azure AD. You thus have a single control plane.
Delivering a seamless user authentication experience
For organizations who already run an on-premises identity infrastructure, Azure AD has everything needed to get your on-premises directory connected to the cloud and integrate with it.
Azure AD includes
http://www.microsoft.com/en-us/download/details.aspx?id=47594Azure Active Directory Connect (Azure AD Connect), a single and unified wizard that streamlines and automates the overall onboarding process for both directory synchronization with on-premises AD mono-forest and multi-forest environments (including password (hash of hash) synchronization) and single sign-on if you want to.
Azure AD Connect is the one stop shop for connecting your on-premises directories to Azure AD, whether you are evaluating, piloting, or in production.
Azure AD Connect is replacing both the
http://go.microsoft.com/fwlink/?LinkID=278924Directory Synchronization (DirSync) tool and the
http://www.microsoft.com/en-us/download/details.aspx?id=44225Azure Active Directory Synchronization Services (Azure AD Sync) tool (download).
Note The Azure AD Sync tool released in September 2014 was considered as the successor of DirSync tool by providing the awaited capability to manage AD and Exchange multi-forest environments. Azure AD Sync offers a new range of capabilities such as the control over which attributes are synchronized based on desired cloud services to consume, the ability to set up the connection to AD with minimal AD privileges, setup synchronization rules by mapping attributes and controlling how the values flow to the cloud, the password synchronization from multiple on-premises AD to Azure AD, etc.
Interestingly, Azure AD Connect allows upgrading or migrating your existing DirSync or Azure AD Sync deployment quickly and easily with little or no impact.
Azure AD Connect leverages Azure AD Sync as the synchronization engine, and includes a rich set of sync and write-back capabilities:
Enable your users to perform self-service password reset in the cloud with write-back to on-premises AD.
Enable provisioning from the cloud with user write back to on-premises AD.
Enable write back of “Groups in Office 365” to on-premises distribution groups in a forest with Exchange.
Enable device write back so that your on-premises access control policies enforced by AD FS can recognize devices that registered with Azure AD. This includes the recently announced support for Azure AD Join in Windows 10.
Note For more information, see the whitepaper
http://www.microsoft.com/en-us/download/details.aspx?id=36391Azure AD & Windows 10: better Together for Work and School.
Note For version release history on AAD Connect, see the article
https://azure.microsoft.com/en-us/documentation/articles/active-directory-aadconnect-version-history/Azure AD Connect: Version Release History.
Sync custom directory attributes to your Azure AD tenant and consume it from your cloud applications.
Note For additional information, see the blog post
http://blogs.technet.com/b/ad/archive/2015/06/24/azure-ad-connect-amp-connect-health-is-now-ga.aspxhttp:/blogs.technet.com/b/ad/archive/2015/06/24/azure-ad-connect-amp-connect-health-is-now-ga.aspxAzure AD Connect & Connect Health is now GA!, and the Microsoft articles
https://azure.microsoft.com/en-us/documentation/articles/active-directory-aadconnect/Integrating your on-premises identities with Azure Active Directory and
https://msdn.microsoft.com/en-us/library/azure/dn832695.aspxAzure Active Directory Connect.
Note Using FIM, organizations can continue to completely control partitioning of information between on-premises and the cloud, support AD multi-forest environments (as Azure AD Connect does) and support other directories and data sources other than AD – for example OpenLDAP or SAP (as Azure AD Connect will). The
http://www.microsoft.com/en-us/download/details.aspx?id=41166Azure AD connector indeed enables to connect an existing FIM 2010 R2 platform with Azure AD. It should be however deprecated as of this writing.
Azure AD supports integration with AD FS and other
http://technet.microsoft.com/en-us/library/jj679342.aspxthird-party security token services (STS) such Shibboleth2, PingFederate, SiteMinder, etc. to provide a (federated) single sign-on experience for corporate users while keeping user passwords on-premises - if the same sign-on experience enabled by the password (hash of hash) synchronization capability of Azure AD Connect isn’t sufficient and/or doesn’t fulfill your security requirements.
Important note In addition to the directory synchronization (single or multiple directories) and password sync, the above Azure AD Connect tool also allows to streamline the overall onboarding process for single sign-on and as such automatically performs the following steps: download and setup of all the prerequisites, download, setup, and/or configuration of AD FS – AD FS being the preferred STS, etc.
https://msdn.microsoft.com/en-us/library/azure/dn906722.aspxAzure Active Directory Connect Health (Azure AD Connect Health) cloud based service in the
https://portal.azure.com/new Azure Portal helps you monitor and gain insight into health, performance and login activity of your on-premises identity infrastructure. As such, it offers you the ability to view alerts, performance, usage patterns, configuration settings, enables you to maintain a reliable connection to Azure AD and much more.
While the currently available release in GA focusses on AD FS, a public preview of Connect Health for sync now allows you to monitor and gain insights into the sync service of Azure AD Connect. For more information, see the blog post
http://blogs.technet.com/b/ad/archive/2015/11/05/azure-ad-connect-health-for-sync-is-now-in-public-preview.aspxAzure AD Connect Health for sync is now in Public Preview!.
Deployment integration with Azure AD Application proxy, additional sync and sign on options will be also added in the future. It represents a key part of our effort to help you monitor and secure your cloud and on-premises identity infrastructure .
Azure AD Connect Health is a feature of the Azure AD Premium edition (see later in this document) and represents a key part of our effort to help you monitor and secure your cloud and on-premises identity infrastructure. For more information, see the article
https://azure.microsoft.com/en-us/documentation/articles/active-directory-aadconnect-health/Monitor your on-premises identity infrastructure in the cloud.
Connecting customers’ existing on-premises directories to Azure AD fully satisfies the requirements of hybrid deployments and hybrid identities in this context, and provides unified authentication and access management for both cloud and on-premises services and systems, eliminating the need to maintain new, independent cloud directories. At the end, Azure AD provides your corporate users with a seamless, same sign-on or (federated) single sign-on experience across all your applications, while simplifying the adoption of SaaS subscriptions, as well as the development of your own modern business applications.
Modern business applications live in an environment that includes a broad spectrum of mobile and native clients, server to server communication, and web APIs, in addition to traditional browser-and-website interactions. Thus, to address all the scenarios introduced by these applications, Azure AD, as a next generation authentication platform, is designed to address these new requirements through standard and modern http/REST protocols such as OpenID Connect, OAuth 2.0, and OData,
http://blogs.technet.com/b/ad/archive/2014/09/09/openid-connect-and-oauth-2-0-support-in-azure-active-directory-has-ga-d.aspxin addition to SAML 2.0, WS-Federation, and WS-Trust.
Note The OpenID Foundation has recently launched a certification program for OpenID Connect implementations. For more information, see the article
http://openid.net/2015/04/17/openid-connect-certification-program/The OpenID Foundation Launches OpenID Connect Certification Program. Azure AD has successfully passed the certification and is
http://openid.net/certification/certified as an OpenID Connect identity provider.
Having an OpenID Connect certification program provides confidence that certified implementations will "just work" together. This represents another important step on the road to widely-available secure interoperable digital identity for all the devices and applications that people use. Microsoft is proud to be a key contributor to the development of OpenID Connect and now of its certification program.
Azure AD works with any modern browser running on a laptop, tablet or mobile device and can be easily integrated into applications running on a multitude of platforms from Microsoft and 3rd parties.
Conversely, if you are a cloud ISV, you can leverage Azure AD to reach a vast user population, which includes the ever-growing user base of the Office 365.
Leveraging the Azure AD offerings
Azure AD is the directory behind Microsoft Online Services subscriptions like Office 365, Dynamics CRM Online, Intune, etc. and is used to store user identities and other tenant properties. Just like the on-premises AD stores the information for Exchange, SharePoint, Lync and your custom LOB Apps, Azure AD for instance stores the information for Exchange Online, SharePoint Online, Lync Online and any custom applications build in the Microsoft’s cloud.
Azure AD is available in three different editions to choose from:
Azure Active Directory (Free). With the Free edition of Azure AD, you can manage user accounts, synchronize with on-premises directories, and get single sign-on across Azure, Office 365, and thousands of popular SaaS applications.
Note This is a free edition as being used by the above Microsoft Online Services subscriptions. If you’ve already subscribed to a Paid Office 365 subscription, you can benefit from an Azure $0 subscription that you can use to access the
http://manage.windowsazure.comAzure management portal with your existing Office 365 subscription in order to directly manage the related Azure AD tenant with all the access management and security feature set and thus
http://blogs.technet.com/b/ad/archive/2013/09/10/empower-your-office-365-subscription-identity-management-with-application-access-enhancements-for-windows-azure-ad.aspxempower your Office 365 subscription. For example, the aforementioned Application Access Enhancements for Azure AD can be only managed today by accessing the directory through the Azure management portal. You can sign-up for this $0 subscription by following the link
Note Independently of any Microsoft Online Services subscriptions, you can sign-up for your free Windows AD tenant and trial Azure account by following the link
Azure Active Directory Basic. Azure AD Basic provides the application access and self-service identity management requirements of task workers with cloud-first needs. With the Basic edition of Azure AD, you get all the capabilities that Azure AD Free has to offer, plus group-based access management, self-Service password reset for cloud applications, customizable environment for launching enterprise and consumer cloud applications, and an enterprise-level SLA of 99.9 percent uptime.
An administrator with Azure AD Basic edition can activate an Azure AD Premium trial.
http://blogs.technet.com/b/ad/archive/2014/09/15/azure-active-directory-basic-is-now-ga.aspxAzure Active Directory Basic is now GA!.
Azure Active Directory Premium. With the Premium edition of Azure AD, you get all of the capabilities that Azure AD Free and Azure AD Basic have to offer, plus additional feature-rich enterprise-level identity management capabilities.
The edition in part of the
http://www.microsoft.com/en-us/server-cloud/products/enterprise-mobility-suite/Enterprise Mobility Suite (EMS) offering, a comprehensive and cost effective solution for enterprise mobility needs.
Note The EMS offering is not only available with an
http://www.microsoft.com/en-us/Licensing/licensing-programs/enterprise.aspxEnterprise Agreement (EA) but also through the Microsoft’s
https://mspartner.microsoft.com/en/us/pages/solutions/cloud-reseller-overview.aspxCloud Solution Provider (CSP) and
http://www.microsoft.com/licensing/licensing-options/open-license.aspxOpen programs. For additional information, see the blog post
http://blogs.technet.com/b/ad/archive/2015/03/12/azure-ad-and-enterprise-mobility-suite-now-broadly-available-outside-of-an-enterprise-agreement.aspxAzure AD and Enterprise Mobility Suite now available without an Enterprise Agreement.
Note To sign up and start using this edition, see the Microsoft MSDN article
http://msdn.microsoft.com/en-us/library/azure/dn499825.aspxGetting started with Azure AD Premium.
Note For a description of each edition below and a comparison table, see the Microsoft MSDN article
http://www.windowsazure.com/en-us/pricing/details/active-directory/Azure Active Directory Pricing. For information on the usage constraints and other service limits for the Azure AD service per edition, see the Microsoft MSDN article
http://msdn.microsoft.com/en-us/library/azure/dn764971.aspxAzure AD service limits and restrictions.
Furthermore, global administrators of a Azure AD (Premium) tenant can optionally choose to enable the
http://azure.microsoft.com/en-us/services/multi-factor-authentication/Azure Multi-Factor Authentication support in Azure AD to require theirs employees to use a second-form of authentication when logging into the Cloud based and SaaS applications declared in the directory tenant (e.g. a mobile phone app, an automated phone call, or text message challenge) to enable even more secure identity access, and to protect the organization’s identity data in the cloud.
Interestingly enough, the Multi-Factor Authentication service composes really nice with the SaaS support you can literally set up secure support for any pre-integrated SaaS application (complete with multi-factor authentication support) to your entire organization within minutes.
The above offerings largely target the identity management (IDM) of employees and their devices to access the organization’s resources.
Extending Azure AD for external identities
One of the new capabilities we are engineering in Azure AD is the ability to extend an organization’s IDM services to encompass all the people who interact with its applications and resources accessible online, but who are not directly members of the organization itself.
We will refer to these people as “external identities”. Since consumers and partners are chief amongst them, we are introducing two new Azure AD IDaaS capabilities now in
http://blogs.technet.com/b/ad/archive/2015/09/09/azure-ad-b2c-and-b2b-are-now-in-public-preview.aspxpublic preview for addressing them:
New Azure AD B2B collaboration feature for helping secure business-to-business collaboration with the partner organizations that you work with every day.
And a new service for business-to-consumer (B2C) for individual consumer with Azure AD B2C. As Gartner says in the aforementioned
https://info.microsoft.com/Gartner-Magic-Quadrant-EMS.html?ls=Websiteresearch document, “B2C use cases have grown in importance as organizations look to replace a mixture of custom-developed IAM products and traditional on-premises IAM products”.
Note The word “consumer” is used here to refer to the ultimate consumer, customer, client, citizen, retiree, or a supporter of a business, government or charity, someone who is acting as an individual, and not as a representative of an organization.
While much of the technology of Azure AD must remain the same (e.g. directory), the IDM of employees, the IDM of business partners, and the IDM of the individual consumers have all many different requirements – thus the need for technologies that interact but are honed to specific problems. To master these requirements, Microsoft has worked closely with a number of customers in private previews. Some of the private preview deployments are already fully in production.
Azure AD B2B collaboration helps improve security while simplifying the management of partner access to resources, including SaaS applications such as Office 365, Salesforce, Dropbox, Workday, etc., and other mobile, cloud, and on-premises claims-aware applications. An email-verified process allows partners of all sizes, with or without an existing Azure AD subscription, to manage their accounts and get single sign on (SSO) access to the line-of-business (LOB) applications you provide. This improves security as users lose access when they leave the partner organization, while you control access policies within your organization. This also simplifies administration as you don’t need to manage an external partner directory or per partner federation relationships. These capabilities can be used with on the available Azure AD editions, and as part of the Enterprise Mobility Suite (EMS).
Azure AD B2C is a new comprehensive, cloud-based, consumer identity and access management solution currently in public preview for your consumer-facing applications, that can be integrated in any platform, and accessible from any device. Azure AD B2C is a highly available global service that can support hundreds of millions of consumer identities. Azure AD B2C gives individual consumer a choice between “Bringing their own Identities” (BYOI) by using one of their existing social accounts, such as Facebook, Google+, Amazon, or LinkedIn), or creating a new local account (arbitrary email address / username with password).
Note As of this writing, Microsoft Account (MSA) personal identities are not yet supported due to the work implied by the converged programming model underway, but they will be soon. For information, see the blogpost
http://blogs.technet.com/b/ad/archive/2015/08/12/azure-ad-microsoft-account-preview-sign-in-personal-and-work-accounts-using-a-single-stack.aspxNow in public preview: The Converged Microsoft Account and Azure Active Directory Programming Model.
All the above offerings and options allow to accommodate many different requirements – thus the need for B2B and B2C technologies that interact but are honed to specific problems. In fact, Azure AD, Azure AD B2B collaboration and Azure AD B2C can be thought of as a continuum, so approaches need to be able to be mixed and deployed flexibly.
Azure AD is a comprehensive identity and access management cloud solution, utilizing the enterprise-grade quality and proven capabilities of AD on-premises. It combines core directory services, advanced identity governance, security and application access management.
It offers capabilities that can be leveraged to centralize the identity management needs of your solutions, and SaaS subscriptions, whether they are cloud-based, hybrid, or even on-premises. Azure AD is a complete offering that can help you to take advantage of your on-premises existing investment, to fully outsource to the cloud your users (and devices) management and anything in between. For enterprises with more demanding needs an advanced offering, Azure AD Basic and Azure AD Premium help complete the set of capabilities that this identity and access management solution delivers.
As part of the same series of documents on Azure AD available on the
http://www.microsoft.com/en-us/download/details.aspx?id=36391Microsoft Download Center, the whitepaper An overview of Azure Active Directory further presents these three editions (i.e. Free, Basic, and Premium) of Azure AD.
In addition, the whitepaper Introducing Azure Active Directory B2B presents the new feature Azure AD B2B collaboration that can be used with on the above editions to embrace identity management (IDM) of partner and supply chains, and manage Business-to-Business collaboration.
Similarly, the whitepaper An overview of Azure Active Directory B2C presents the new service for Business-to-Consumer: Azure AD B2C to embrace identity management (IDM) of individual consumers.
The whitepaper Azure AD & Windows 10: Better Together for Work or School introduces how Windows 10 Pro, Windows 10 Enterprise editions, and Windows 10 Education will enable a device to connect to your Azure AD tenancy to seamlessly access SaaS applications in the cloud and traditional applications on-premises, and all of that without needing the traditional WSAD domains on-premises if you want to. It depicts the related experiences whether you are cloud-only, hybrid or have an on-premises AD infrastructure as well as how to enable them.
The whitepaper Azure AD/Office 365 single sign-on with AD FS in Windows Server 2012 R2 in two parts (Part 1 and Part 2/Part 2bis) provides an understanding of the different single sign-on deployment options with Azure AD/Office 365, how to enable single sign-on using corporate Active Directory credentials and AD FS to Azure AD/Office 365, the different configuration elements to be aware of for such deployment, and an instrumented end-to-end walkthrough to setup an Azure-based lab environment to further familiarize yourself with both the installation and configuration of the related infrastructure.
Important note By featuring the now available Azure AD Connect tool, Part 2bis should be considered as a more up-to-date walkthrough compared to Part 2, and should thus be preferred over it unless you’ve specific reasons to deal with the former DirSync tool and the manual configuration of the AD FS farm.
Likewise, the whitepaper Azure AD/Office 365 single sign-on with Shibboleth 2 provides an understanding of how to enable single sign-on using corporate LDAP-based directory credentials and Shibboleth 2 with the SAML 2.0 protocol to Azure AD/Office 365, and the different configuration elements to be aware of for such deployment. It also provides an end-to-end walkthrough of the related setup and configuration.
The whitepaper Leverage Multi-Factor Authentication with Azure AD covers the Azure Multi-Factor Authentication paid offering and how to leverage it with Azure AD (Premium).
As an addition to the aforementioned whitepaper Leverage Azure Multi-Factor Authentication with Azure AD, and for an organization that is federated with Azure AD, the whitepaper Leverage Multi-Factor Authentication Server for Azure AD single sign-on with AD FS aims at describing how to use Azure Multi-Factor Authentication Server and to configure it to secure cloud resources such as Office 365 so that so that federated users will be prompted to set up additional verification the next time they sign in on-premises. In order not to “reinvent the wheels”, this document leverages the instrumented walkthrough provided in the Part 2bis of the above whitepaper Azure AD/Office 365 Single Sign-On with AD FS in Windows Server 2012 R2.
Finally, Azure AD also offers to developers and cloud ISVs an identity management platform to deliver access control to their modern business applications, based on centralized policy and rules. The whitepaper Leverage Azure AD for modern Business Applications further presents the aspects that relates to the development of solutions with the current app model and the next generation one’s with the app model v2.0 in preview.
The information contained in this document represents the current view of Microsoft Corporation on the issues discussed as of the date of publication. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information presented after the date of publication.
This white paper is for informational purposes only. Microsoft makes no warranties, express or implied, in this document.
Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in, or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.
© 2016 Microsoft Corporation. All rights reserved.
The example companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious. No association with any real company, organization, product, domain name, e-mail address, logo, person, place, or event is intended or should be inferred.
Microsoft, list Microsoft trademarks used in your white paper alphabetically are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.
The names of actual companies and products mentioned herein may be the trademarks of their respective owners.
20 Active Directory from on-premises to the cloud
21 Active Directory from on-premises to the cloudring the now available Azure AD Connect tool, Part 2bis should be considered as a more up-to-date walkthrough compared to Part 2, and should thus be preferred over it unless you’ve specific reasons to deal with the former DirSync tool and the manual configuration of the AD FS farm.
The names of actual com