Gartner recently recognized Microsoft as an industry leader, positioned furthest to the right for completeness of vision, in their 2016 Magic Quadrant for Identity and Access Management as a Service, Worldwide. This landmark achievement sets the stage for existing and prospective Microsoft partners to team up with the most innovative cloud computing platform and services on the market today. Azure is especially exciting in how it’s embracing identity solutions.
You might be asking how exactly does identity relate to Azure, and what Azure services offer identity capabilities. There’s actually a lot going on in this arena and in today’s blog we break it down for you.
Azure in practice
Let’s start by making it (mostly) simple. According to an article originally written by David Chappell and posted by Curtis Love, we learn that Azure has several different ways to provide identity related solutions:
- Traditional Active Directory (AD), formally called Windows Server Active Directory, can run on virtual machines hosted in Azure. This approach makes sense when you’re using Azure to extend your on-premises datacenter into the cloud.
- Azure is also able to be its own identity provider through Azure Active Directory (AAD). This enables users to have a single sign-on experience to Software as a Service (SaaS) applications. Office 365 leverages AAD to provide its native cloud identities. Of course, your applications running on Azure or other cloud platforms can also take advantage of AAD.
- Finally, applications running either in the cloud or on-premises can use Azure Access Control Service (ACS) to authenticate users who need to access your web applications and services without having to factor complex authentication logic into your code. ACS allows you to let users log in using identity providers including Microsoft accounts, Facebook, Google, and others.
Apart from the alphabet soup above, let’s focus in on the capabilities (such as B2B, B2C, MFA and SSO) enabled by Azure Active Directory and what you can actually do with all those acronyms.
1. Azure Active Directory B2B
Azure Active Directory B2B enables access to enterprise applications from partner-managed identities. You can create cross-company relationships by inviting and authorizing users from partner companies to access your resources.
What you can do with it
- Grant customers access to corporate resources and applications to their partners in a simple, secure and seamless way.
- Provide the capability for each partner to manage their own employee identities, integrated into their existing IT systems, according to their own corporate policy.
- Light up rich, cross-company visibility, featuring world class compliance and control
2. Azure Active Directory B2C
AAD’s B2C offering is a cloud identity service that is more reliable and cost effective than on-premises systems. B2C is a highly available, global identity management service for consumer-facing applications that allows your consumers to log on to all your applications through fully customizable experiences using their existing social accounts or by creating new credentials.
What can you do with it
- Easily integrate consumer identity management (such as the Microsoft Account, Facebook, LinkedIn, etc.) into your customers’ applications.
- Enable self-service sign up, profile, and password management.
- Give your customers the easy option of using an existing social account to access applications.
3. Azure Multi-Factor Authentication
Multi-factor authentication (MFA) is a method of authentication that requires the use of more than one verification method and adds a critical second layer of security to user sign-ins and transactions. It works by requiring any two or more of the following verification methods:
- Something you know (typically a password),
- Something you have (a trusted device that is not easily duplicated, like a phone), or
- Something you are (biometrics).
What can you do with it
- Help your customers’ IT departments ensure a higher level of security for IT pros and administrators by adding a second layer of authentication when they log in.
- Boost your security efforts by requiring MFA for all users accessing corporate cloud based resources including Office 365 hosted email.
- Enable secure and convenient access for remote users who access confidential client information.
4. Azure Active Directory Single Sign On (SSO)
Azure Active Directory Single Sign On (SSO) gives users the ability to sign in to different applications, services, and sites (cloud based or on-premises) using a convenient single-set of credentials.
What can you do with it
- Give your customers’ users the ability to sign in to thousands of SaaS applications using pre-built integrations available in the Active Directory Marketplace.
- Create a custom integration for a customer application that isn’t already supported.
- Combine implementation of MFA and SSO so that users can access all of their applications in a secure fashion with just one set of credentials.
Azure in action
So what do using Azure identity solutions look like in real life?
To provide an example, consider this: Stratiform, a Microsoft partner in Canada, was working with a customer who had purchased the Enterprise Mobility Suite (EMS) to use Intune for device management. Around the same time, the customer realized that it was time for them to move from Novell Directory Services and Groupwise as their directory and email solution to communication and identity solutions leveraging the power of the cloud.
In April, Stratiform suggested that Active Directory, Active Directory Federation Services, and Azure Active Directory Premium (included with EMS) could enable users across their 10+ sites across Canada to be managed centrally while lighting up:
- Self Service Password Reset,
- Single Sign On,
- Multi-Factor Authentication for Office 365 services (when users are remote),
- App Passwords enabled for mobile devices, and
- Multi-Factor Authentication not required when users are on the corporate network.
The project kicked off very quickly in May of 2016 and is expected to be in full production across 200+ users and 10+ locations in September. Identity is enabling the first project for this customer but could open the door for many future opportunities.
For more detailed technical info about how to start using Azure solutions today, check out some of these additional Azure and identity resources:
- For a great description of what IT architects need to know about designing identity for organizations using Microsoft cloud services and platforms, read this article on Microsoft cloud identity for enterprise architects.
- For a deep dive video on Azure Active Directory B2B, click here.
- See how Real Madrid uses Azure Active Directory B2C to authenticate 450 million fans around the globe. Azure
Still have questions about Azure and identity? Ask me in the comments below and I’ll be sure to respond. If you want more cool, technical info on Azure, check this space for my future blog posts and subscribe to my monthly Luper’s Learnings email. Request to be added by luperslearnings (at) microsoft.com and check out the archive in the meantime.