Azure Stack Identity: Choosing the right Azure Stack Identity Model

Hello Everyone, my name is Zoheb Shaikh and I’m a Premier Field Engineer with Microsoft India. I am back again with another blog and today I’ll share with you information about Azure Stack Identity models.

Before I explain the concept of this topic, if you are not aware about what Azure Stack is then go check this out https://azure.microsoft.com/en-us/overview/azure-stack/

Coming back to our subject, Azure Stack requires Azure Active Directory or Active Directory Federation Services as its Identity Provider. Azure Stack works on OpenID Connect protocol just like Azure. AAD or ADFS both are compatible with these protocols.

Your decision to use Azure Active Directory or ADFS is dependent on the deployment models for Azure Stack should be i.e if you decide to use a Connected mode or a Disconnected mode respectively.

You must also decide which licensing model you wish to use. The available options depend upon whether or not you need to deploy Azure Stack connected to the internet.

  • For a Connected deployment, you may choose either Pay-as-you-use or Capacity-based licensing models. Pay-as-you-use requires a connection to Azure AD for it to report usage, which is then billed through Azure commerce.
  • Only Capacity-based licensing is supported when you deploy a Disconnected mode which means there is a disconnection with the internet. For more information about the licensing models, see Microsoft Azure Stack packaging and pricing.

To know more about choosing connected or disconnected modes please see Azure Stack Connection Models

Since we now know the two Identity models lets talk about scenarios where you could use them.

1. Enterprises : Dedicated hosting

This is a scenario of an Enterprise company that could use Azure Stack for a Single Directory Tenant in Azure AD. Authentication for Azure Stack Admins and Tenants will be served by a Single Directory Tenant. Since Authentication will be served by Azure AD this has to be connected and we can either use capacity-based or consumption-based licensing.

2. Azure Stack Service Provider : Shared hosting

Azure Stack allows users from multiple directories to sign in and use Azure AD but this would then have to be designed in such a way that only one Directory Tenant has access to the Admin Portal and Azure Resource Provider which means that the Admin Portal and Admin ARM are single-tenanted and the Public/User Portal, ARM and RPs are multi-tenanted. Since Authentication will be served by Azure AD this has to be connected to the internet and we can either use capacity-based or consumption-based licensing.

When a user from different tenants logs on, they will be redirected via their own ADFS to authenticate against their on-premises AD and gain access to Azure Stack Public portal.

3. Enterprises : Dedicated hosting

Since this is a disconnected scenario Azure AD is out of context here.

Azure Stack ADFS server and On-Premises ADFS server will be used for creating a Federation trust and the authentication will happen from On-Premises ADDS.

I hope this helps in understanding the different types of Identity scenerios that you can use for Azure Stack.

Zoheb