Managing user credentials and application access is becoming more-and-more difficult in today's "cloud era". In addition to managing access to traditional on-premises applications, we're also faced with managing access to numerous 3rd party cloud-based applications - many of which default to managing identities on an app-by-app basis. And ... securing all of those discrete identities with passwords alone is getting quickly outdated as increasingly sophisticated password attacks are hitting the news on a regular basis.
Luckily, Windows Azure gives us the ability to easily gain visibility and centralized control over "cloud era" identity management via two offerings: Windows Azure Active Directory (WAAD) and Windows Azure Multi-Factor Authentication (MFA). In this article, I’ll provide a set of resources that you can use to get started exploring and leveraging Windows Azure Active Directory and Multi-Factor Authentication for your applications …
What is Windows Azure Active Directory?
Windows Azure Active Directory ( WAAD ), a cloud-friendly REST-based implementation of Active Directory for identity management of cloud applications, is available for production cloud apps as a FREE service. WAAD provides consistent centralized identity management for Microsoft Office 365, Windows Intune, over 580+ commercial SaaS applications and your own cloud-based applications. To support unified identity management with traditional on-premises applications, WAAD can also be integrated with Windows Server Active Directory via DirSync and Active Directory Federation Services ( ADFS ) gateway components.
In addition to the free service tier, there's also a Windows Azure Active Directory Premium offering ( currently available as a Public Preview ) that adds support for group-based application access management, advanced machine learning-based security reports, and a customizable application access portal with self-service password reset. You can learn more about activating this Premium offer at the below link location.
How does WAAD work with Windows Server Active Directory?
Watch this quick whiteboard video that introduces Windows Azure Active Directory and how it can integrate with Windows Server Active Directory.
Download this video for offline viewing.
Secure Multi-Factor Authentication
Secure application authentication for both cloud-based apps and on-premises apps is becoming increasingly important, and it's quickly getting to the point where password-based authentication alone is just not "secure enough" for many apps and organizations.
Windows Azure Multi-Factor Authentication (MFA) is an additional cost-effective paid service, currently priced at $2 USD per user per month, that can be leveraged with both Windows Azure Active Directory and Windows Server Active Directory to quickly add multi-factor authentication to cloud-based apps and on-premises apps. Windows Azure MFA extends authentication to leverage a common device that we all have: our Phones! MFA can be used to add a second-level of authentication to existing apps that involves authenticating users via a phone app, an automated phone call or text message after they've entered their initial username and password credentials. Users can choose the MFA option that works best for them.
Although MFA sounds very sophisticated, it takes just a few minutes to get started with it via the Windows Azure MFA cloud service ... VERY COOL! Be sure to check-out the new Step-by-Step guides listed as additional resources below to step through the process of enabling Multi-Factor Authentication.
How do I get started with Windows Azure Active Directory?
Get started with Windows Azure Active Directory by following these steps to create your Windows Azure Active Directory domain …
- Activate a FREE Windows Azure Trial Subscription to begin evaluating Windows Azure Active Directory
- Sign-in at the Windows Azure Management Portal with the login credentials used when activating your FREE Subscription in Step 1 above.
- On the Windows Azure Management Portal, click Active Directory on the left navigation panel to navigate to the Active Directory page.
Active Directory page on Windows Azure Management Portal
Click CREATE YOUR DIRECTORY to launch the Create Directory form to begin creating your new Active Directory domain instance.
- On the Create Directory form, complete the fields as noted below.
- Domain Name: Enter a globally unique name for your new Active Directory domain instance. This domain will initially be provisioned as subdomain inside the onmicrosoft.com public DNS domain. You can assign a custom DNS namespace to this domain after initial provisioning is completed.
- Country or Region: Select your closest country or region. This selection will be used by Windows Azure to determine the Azure Datacenter Region in which your Active Directory domain instance will be provisioned and cannot be changed after provisioning.
- Organization name: Enter your organization’s name.
When all fields have been completed, click the button to begin provisioning your new Windows Azure Active Directory domain instance.
NOTE: Provisioning of your new Active Directory domain instance will require a few minutes to complete. When completed, your new domain will be listed on the Active Directory page with a Status of Active. When provisioning is completed, you may continue with the next step.
- On the Active Directory page, click on the name of your newly provisioning Active Directory instance to manage it on a Details page.
Selecting the newly provisioned Active Directory instance
- On the Details page for your new Active Directory instance, note the tabs located at the top of the page as depicted below.
Tabs on Active Directory Details Page
Each tab allows you to perform a particular set of management as follows:
- Users – Create and Manage cloud-based users
- Groups - Create and Manage groups of users
- Applications – Integrate over 580+ 3rd Party Commercial SaaS Applications and your own Cloud-based applications with Windows Azure Active Directory
- Domains – Add a custom DNS domain name
- Directory Integration – Configure integration with an on-premise Windows Server Active Directory forest.
- Configure - Enable Active Directory Premium features and Multi-factor Authentication
- Reports - Access security reports, such as anomaly reports and resource usage reports.
After exploring the details presented on each tab, continue with the next set of learning resources below.
Completed! You’ve completed the process of provisioning a new Windows Azure Active Directory instance.
Want more? Keep learning with these additional resources …
- READ: Options for Building Active Directory in the Cloud with Windows Azure
- DO IT: Step-by-Step: Building a Windows Server 2012 Active Directory in the Cloud with Windows Azure
- READ: Administering your Windows Azure Active Directory Tenant
- DO IT: Managing Windows Azure Active Directory via PowerShell
- DO IT: Step-by-Step: Leveraging Windows Azure Multi-Factor Authentication
Once you've completed these resources, also be sure to check out our growing collection of Windows Azure Step-by-Step Cloud Labs at: