by Frank Campise
US Partner Technology Strategist for Microsoft Azure
The Microsoft Azure Partner Community is led by National Partner Technology Strategists from the Microsoft US Partner Team. Partner Community activities include blog posts, discussions on Yammer, newsletters, and community calls.
The partner opportunity for apps on Azure
Microsoft on-premises applications like Office, Exchange, SharePoint, and Lync have greatly enhanced the ability for organizations to collect, organize, collaborate and communicate information within and across their respective businesses. However, there are still many instances in which a unique customer need drives the requirement for a one-off line of business (LOB) application to be custom built by a partner. If you are an application development partner that builds these types of applications, this scenario is likely common for you.
A customer that has already moved to Office 365 understands the benefits of the cloud, is likely using many of the great features in Office 365, and—like on-premises customers—may have unique business needs that require a line of business application. The challenge here is that although this customer has moved a good portion of its productivity applications to the cloud, its LOB applications are still stuck on-premises. This customer challenge is the partner opportunity.
This cloud-enabled customer is likely to want to see its LOB applications become first-class cloud citizens in a fashion very similar to what the customer’s employees have come to expect interacting with Office 365 productivity applications. The customer wants these LOB applications to be accessible to employees even when they are away from the office and not connected to the corporate VPN. In addition to being accessible, those LOB applications need to be secure, and the customer will want to be able to control authentication using mechanisms that are already in place, which most likely means organizational accounts stored in Microsoft Active Directory on-premises.
The good news for this particular customer is that by already having implemented Office 365, it is already well on its way towards having a general cloud-enabled authentication and authorization system in place for its corporate applications. This is because Office 365 utilizes the Microsoft Azure platform, or more specifically, Microsoft Azure Active Directory (AAD), to support these functions. That use of AAD means that an application developer can tap into these services and build cloud applications for this customer.
Here is guidance for how to associate an Office 365 Azure Active Directory tenant with an Azure subscription, and how to utilize this directory to secure a web application.
Associating an Azure subscription with Office 365
Although an Office 365 tenant utilizes AAD, it is by default not exposed via a Microsoft Azure subscription. Therefore, one of the first steps in setting up a customer’s environment to utilize the AAD that’s associated with the customer’s Office 365 tenant for general authentication and authorization is to tie that AAD to a Microsoft Azure subscription.
There are two options for doing this:
- Create a new Azure subscription utilizing the Global Administrator of the Office 365 tenant to serve as the Administrator for the Azure subscription
- Utilize an existing Azure subscription that the customer already has in place and tie the Office 365 associated Azure Active Directory with that subscription
For more information on setting up both of these options, refer to this article: Manage the Directory for your Office 365 subscription in Azure.
Once you have tied the AAD associated with the Office 365 tenant to an Azure subscription, this directory can be used as the backbone to authorize and authenticate the LOB applications. More specifically, all employees within that customer will be able to utilize the organization’s account and password, just as on-premises, to access the LOB applications in the cloud. Now, you can focus on building the right applications for the customer, and leave the security to Microsoft Azure Active Directory.
Azure Websites and Azure Active Directory
Azure provides a number of different services to help you build line of business applications, such as Cloud Services, Mobile Services, Websites, and more. Each of these features has a great AAD integration story, but we’ll focus on Azure Websites and how easy it is to take a web application and secure it with AAD.
Azure Websites are an enterprise-class cloud solution that allows you to quickly and easily develop, test, and run web applications. Azure websites are ideal for corporate LOB applications for a several reasons:
- Support for multiple languages/frameworks: .NET, Java, PHP, Node.js, and Python
- Very low learning curve for developers that have built websites in IIS
- Built-in autoscale and load balancing
- Continuous deployment with Git, TFS, GitHub
- Support for SQL databases, MySQL, DocumentDB, Search, MongoDB, etc.
- Ability to access on-premises data through Virtual Network/VPN support
- Deployment slots that allow for A/B testing, test in production
- Ability to store and restore backups including underlying databases
- Support for “one-click” integration with Azure Active Directory
That last point, about “one-click” integration with Azure Active Directory, is particularly important for this discussion about moving a customer’s LOB apps to the cloud. Watch the short video below for a walkthrough of this capability.
Easy Authentication and Authorization video
In this video, Scott Hanselman talks to Azure Websites software engineer Chris Gillum who gets is up to speed on Azure Websites' Easy Authentication and Authorization. This new "one-click" feature can take any Azure Website— node.js, PHP, ASP.NET and Java—and quickly set up authentication and authorization.