Over the past couple of years I’ve come to respect the importance of identity and strong identity management as a foundation to any organization’s Enterprise Mobility strategy. Those of you who know my background may recall that, in the late 90’s, I led the Program Management team at Novell delivering Novell Directory Services (NDS). Identity has been something I have worked on/around for close to two decades – and I can tell you it has never been more important that it is now.
As we are enabling users to work anywhere in the world from any device, it’s critical that you have a solution which helps you set polices that govern access to your organization’s critical and sensitive corporate resources (based, of course, on the identity of the individual and the identity of the device). With device users now working from anywhere and everywhere – and with a constant stream of attacks being leveled at every organization – it is also critical that an identity solution helps you to identify and block abnormal access attempts. As we all continue to consume more and more SaaS offerings (the workforce in an average enterprise uses more than 300 SaaS apps!), we need to be proactive about extending our identity management efforts to all of the SaaS apps our organization uses. Over the next few posts, I am going to cover how we are helping address these needs via the Enterprise Mobility Suite.
As you consider your options, I hope you come to the same conclusion that I have: The Enterprise Mobility Suite is the most sophisticated and complete Enterprise Mobility Management solution available. I get excited when I talk with customers and show them how they can take advantage of the work we are doing to integrate EMS with their existing AD and SCCM on-premises deployments. The alternative is purchasing separate offerings from the MDM guys (who don’t currently offer identity management) and then buying additional products from identity-focused organizations. After making this variety of purchases, you’re then left to assemble all of it on your own. I can promise you that the piecemeal approach will be much more expensive, far less agile, and it will offer you fewer capabilities.
Identity management is something that is in our DNA here at Microsoft. Today, over 90% of businesses around the world use AD for their identity management (that is not a typo!) – and that figure goes up to 95% for Fortune 1000 organizations. We have been working hard to enable organizations to expand their on-prem investments to the cloud, and we have actually optimized our solutions for device management with Azure Active Directory (you can read about AAD in depth here).
What to do with Active Directory
Deploying a consistent on-prem identity management system has become table stakes for doing business today. AD has been providing significant benefits for your organization for years with a centralized identity management solution for IT Pros and a great Single-Sign-On (SSO) experience for end users. When you are building your enterprise mobility functionality, you want it to deliver a small handful of critical things:
- Integration into your own infrastructure.
- Easy syncing with your internal Line of Business and 3rd party apps.
- Easy syncing with your identity directories (aka Active Directory).
- Self-service capabilities like password reset, group management, user profile, management, etc. – all of which are consistent across your on-prem infrastructure and the cloud services you are using.
Azure Active Directory: Worker of Small Miracles
As I mentioned earlier, one of the key benefits AD has been providing for years is centralized identity management and access control across the enterprise + a great SSO experience for the end-users consuming enterprise services. Now, as organizations use more and more SaaS offerings (e.g. salesforce.com, Office 365, Box, etc.), a centralized identity management solution is more important than ever in order to manage these SaaS apps and provide a SSO experience to end users.
One possible way to deliver this kind of functionality is to federate each user with each and every cloud-based app. The challenge, however, is that not all apps use the same protocols or standards when it comes to identity management. This can make federation a very complex and costly operation. What organizations really need is a hub that can do five key things:
- Connect SaaS identities with their on-prem Active Directory users.
- Seamlessly connect with a variety of cloud applications.
- Integrate with various web protocols.
- Scale around the globe to authenticate users in any location, from any device, in a way that integrates simply with their existing identities.
- Provide SSO to all these apps for users.
Considering the massive install base of AD, it is safe to say that the industry would prefer not to reinvent the wheel or manually recreate all of their identities in the cloud. The good news is that this kind of reinvention is unnecessary since this is exactly what Azure Active Directory (AAD) provides in a secure and comprehensive way. AAD combines directory services, advanced identity governance, application access management, and a developer’s identity management platform. Impressive, right?
Consider for a moment these four scenarios that organizations of all sizes will face as they manage identities in the public cloud:
- Many applications, one identity repository.
- Managing identities and access to cloud applications.
- Monitoring and protecting access to enterprise applications.
- Personalizing access and self-service capabilities.
You need to insist that your mobility partners/vendors can provide comprehensive solutions for these four scenarios – and that solution needs to seamlessly connect to the on-prem work where you’ve already invested. These four areas are places where, I’m proud to say, AAD can consistently deliver at enterprise grade.
Sync & Federation with Azure Active Directory
AAD allows you to sync with the on-prem Windows Server Active Directory using DirSync combined with either Active Directory Federation Services (ADFS), or, alternatively, with password hash sync. This setup helps to configure SSO and, to make SSO even easier, the most popular cloud apps are already pre-integrated in the application gallery – no matter what kind of public cloud is doing the hosting. This kind of integration goes way beyond simple compatibility. We have already done the work to integrate more than 2,000 of the most popular SaaS apps with AAD – this fully enables the scenarios described above. Let us do the work so you don’t have to!
To really add additional value here, we have also preconfigured all the parameters needed to federate with these clouds so that an administrator can select the cloud applications their enterprise is already using and configure SSO accordingly.
Once you have your identities and apps under control, the next action to take is finding the most efficient way to manage them. The Azure Management portal contains a section specifically for AAD administration, and through this portal you can take your custom LOB apps (or the ones you’ve bought from a vendor) and enable them for SSO.
The Value of Cloud-based Identity Management
Once you’re operating your identity management solution from the cloud, your ability to manage a growing number of users and SaaS apps from the same console with the same processes becomes an invaluable advantage.
Access isn’t the only element that benefits from a top-tier identity management solution, however. Your ability to govern the creation, publishing, and usage of SaaS apps (which can be used via single sign-on) is a huge productivity booster for both you and your end users. There’s not an IT team in the world that goes more than a few minutes without thinking about security – and this is something we think a lot about, too. This is why AAD is based on Trustworthy Computing principals and security is a foundational part of its architecture.
To get a sense of just how secure this setup is, consider this: Microsoft does not require you to store any user passwords in the cloud from the synchronized on-prem identities. Additionally, all access attempts are monitored and can be displayed via a simple set of reports that can track inconsistent access patterns (unknown source logins, multiple failed logins, or logins from multiple geographies). These reports allow you to have the insight necessary to improve access security, respond to potential threats, and make decisions about other ways to mitigate risks (like Multi-factor Authentication).
This is all delivered through Azure Active Directory Premium – which is one of the components of the Enterprise Mobility Suite. This is an incredibly high quality foundation you can use to build your Enterprise Mobility strategy.
* * *
To get a lot of additional information about Microsoft’s cloud-based identity management solutions, check out this very helpful Hybrid Identity Management site.
To see some data points about identity management in action, check out this clip from the Master of Mobility video series:
For even more info about Azure Active Directory and its capabilities, check out a couple of these resources:
- The main Azure Active Directory site.
- Active Directory Authentication Library 1.0 for .NET.
- Application Gallery for cloud apps.
- Active Directory Considerations in Azure Virtual Machines and Virtual Networks.
- Setting up Azure Active Directory ACS to provide identities to Windows Azure Pack.
- Federated Identities to Windows Azure Pack through AD FS.
- Azure Active Directory service page.
- Multi-factor Authentication service page.
- Azure Active Directory documentation page.