Enterprise Mobility and Security Blog


Howdy folks,

One of the topics I get asked about all the time is the roadmap for Azure Access Control Service (ACS).

Today I want to share some of the details of our plans for merging ACS into Azure AD and in particular for maintaining our identity integration with Google’s identity system.

Moving ACS customers to Google OpenID Connect

Many of you know about Google’s plans to discontinue support for OpenID 2.0 on April 20th, 2015. We have agreement with Google that the ACS service will not be disrupted on this date. We are making code changes in ACS and are working with Google to enable a rapid migration of ACS customers to the Google OpenID Connect implementation. As part of these changes, Google will require ACS namespace owners to register their namespace as a client with Google and accept the Google terms of service. As with the ACS Facebook integration, namespace owners must provide their Google client ID & secret to ACS.

We will provide detailed guidance on how to complete these steps soon.

ACS Capabilities in Azure AD

As we’ve mentioned previously, we are adding ACS-like capabilities into Azure AD. In the coming months, as part of a feature preview Azure AD administrators will be able to add federation with social identity providers, and later custom identity providers to Azure AD. This will allow app developers to use Azure AD to simplify the identity implementation in their apps, similar to how developers use ACS today. We look forward to getting your feedback on the preview to improve these experiences.

Migrating ACS Customers to Azure AD

Once these new ACS capabilities of Azure AD are out of preview and generally available, we will start migrating ACS namespaces to use the new Azure AD capabilities.

This migration will improve the performance and reliability of those namespaces by allowing them to leverage the geo-distributed and fault tolerant Azure AD infrastructure that we’ve built out in 28 datacenters across the globe. Our goal is to make the migration seamless for as many namespaces as possible, with no impact beyond a new administrative user experience. Apps will continue to work without changes using the same protocols and ACS DNS name for sign-in.

A small number of ACS namespaces will not be able to migrate without some amount of disruptive change. For example, after the migration the ACS management API will no longer be supported. As part of this effort, we are committed to honoring the Azure policy of a one year notice for disruptive changes. For namespaces that will have issues with an automatic migration, we will reach out directly to the namespace owners to provide migration options and guidance.

As always, we look forward to your feedback and suggestions on our plans and anything else you’d like us to include in our offering.

Best Regards,

Alex Simons (Twitter: @Alex_A_Simons)

Director of PM

Microsoft Identity and Security Service Division