Windows Azure Active Directory Cartoon


I posted this video on to Channel 9 before Christmas but I can see something has gone wrong with the indexing and it’s pretty undiscoverable on the site. Thought I’d make it known through the blog.

Comments (9)

  1. I like the style of your video, very easy for people to follow.  I also just followed you on twitter.  

  2. Tony says:

    The push for Azure AD is really nothing more than transparent marketing from MS. Please tell me why in God's name I would put AD "in the cloud" for Office 365 as opposed to using federated authentication (SAML, WS-Fed)?

    I think it's hilarious that while the rest of the world is moving toward a federated identity model, Microsoft is pushing has this ridiculous agenda of pulling AD to the cloud. #pointless

  3. plankytronixx says:

    Hi Tony,

    Wow – you really are passionate about federation – that's good to see.

    I don't think you'd put AD (traditional AD) in the cloud if the only service you were consuming was ofice365. It has its own directory (which is now called Azure AD). So there's no need for it – it's all part of Office365 in the first place.

    But let's say you have some cloud apps, a few other internet connected apps PLUS office 365, then obviously federation is the answer – exactly the point you make. But if you are a small organisation with a small number of users then the IT burden of building an internal AD to federate with these external services would be pretty huge. The service management – like for example if the local ADFS server went down, then you'd not be able to access any federated services – that's a pretty big risk for a small business.

    The non-enterprise size businesses have been asking Microsoft for a few years now if we could provide a way for them to do this but in the cloud so that we run the infrastructure and they consume its services.

    So think of it more for the organisation that doesn't own and operate its own AD and federation infrastructure. If you think about it – in the on-premises world, to federate your AD with Office 365, you need an ADFS server. But you also need a proxy so that your road-warriors can also authenticate. But of course that's risky, so you need a minimum of 2 of each server in case of failures. The burden of these extra 4 servers on a small organisation would probably be substantial. To a large enterprise, it's just a case of expanding the existing infrastructure. To a smaller company – especially say one in the 10-user area – it's just not tenable.

    So – yes, I wholeheartedy agree with your point that the world is moving toward federation. It'd be a shame to lock the smaller business out of that opportunity – so the cloud is used to deliver the directory/federation service and take away almost all of the aspects of service management. I think that's perfect for the business that doesn't have an IT person on its staff…

    If the only businesses in the world were big companies with IT departments – I'd be 110% on your side so I can exactly see where you are coming from.

  4. atif says:

    we really enjoy from it, i thin we miss it before   ,   http://www.web-hosting-pakistan.net

  5. If your a small business why put AD onsite and then have to deal with federation, security general management etc. why have any infrastructure on site for that matter.

    I strongly believe that an integrate cloud experience covering O365, InTune, Azure with WAAD will be a boon for many a small business.

    Keep up the good work

    Kind regards

    Paul

  6. plankytronixx says:

    Hi mrpaulb,

    Yes I agree. I think Tony probably works in a large company with a big on-premises infrastructure. For him federated identities make perfect sense.

    The identities in WAAD for a small business are still in essence federated, it's just that the claims store is running up in the cloud as Is the IP. For a small business, I think the more infrastructure you can put in the cloud, the better.

  7. Tony says:

    Sorry for my initially snarky comment and thank you for that detailed explanation. I've had quite a few months to work with and understand Azure and I see the places where it makes perfect sense so I've cooled off a bit. :).

    Some of my frustration comes from the fact that MS has not made applications entirely "cloud aware" out-of-the-box. Take SharePoint for example in the opposite sense. Full federated identity support means users from disparate security realms can authenticate and authorize with no need for a Windows/AD account. That's what I'm talking about! The heavy handed Windows cred that's needed for apps drives me bananas when SAML, WS-Fed, OAuth etc. allow existing AD identities to traverse security boundaries painlessly (and securely). Now something like FIM 2010 doesn't understand ANY federated identity management protocols which makes it a weak IAM product in my opinion. Add to this, which was the initial point of my rant, the relatively weak federation support for Office 365. Despite Office 365 offering WS-Federation as the preferred authentication mechanism, users STILL get prompted when passwords expire. WS-Fed = SSO, so why in the world would a user get prompted? This is one of a few shortcomings.

    Going back to the initial point of my rant, the initial marketing push of MS Cloud services was sold as a panacea to all things and what's painfully obvious to me is that if we're not careful we're bringing back the problems of the year 2000…tight coupling, a bazillion identity stores, etc…all of these things create identity management, functional, and security nightmares which puts business at risk. Matter of fact I'm seeing these things now when we use cloud services sans federated identity.

    Two years ago Oxford Computer Group hosted a one day conference about going to the cloud and the overwhelming message was to get your internal identity management ducks in a row before proceeding. Personally I'd like to see more of a focus on really examining identity in 2014 that understands that user identity will need to access local, cloud, B2B services, etc. and build identity management systems that facilitate that.

    All that being said, I do see the MS Cloud vision getting better…the Azure ACS combined with the service bus is very slick, as is the Windows Azure Pack. Also the new support for OAuth and JWT in Windows Server 2012 R2 ADFS is great. At the time I wrote my initial comment, I was being bombarded with marketing and a big push to put our AD blindly in the cloud without any true justification. Also I re-watched your video and it's a very good overview.

    Thanks for your reply!

    – Tony

  8. Howard says:

    I can see where Tony is coming from with regards to some applications not being cloud ready. We are trying to use Microsoft Dynamics AX 2012 on Azure but we do not yet have ADFS. We seem to have hit a brick wall because unlike Office 365 (if I understand right), Dynamics AX does not support SAML. I'm still trying to get my head around which bit (ADD, ACS, Windows Azure Pack, ADFS) does what and I'm not enjoying the experience!

  9. plankytronixx says:

    I'm not a Dynamics AX guy – but if you want to get your head round the whole federation thing I recommend some of my earlier articles. They are a little out of date (for example it's much easier to set stuff up now, largely through the UI) but the principles are exactly the same.

    Unfortunately, Microsoft has a rather large estate of on-prem apps/infrastructure to modify to make it cloud-aware. This is not at all a small task. Sometimes it's unfortunate that it directly impacts you if you happen to be using a product that hasn't already had the cloud treatment.

    The cloud has put the cat among the pigeons somewhat because new features in the cloud can just be rolled out continuously (and they are, hundreds of them, literally) but it's not like that with traditional software which has much longer lead-times. Sorry but that's just the modern world. Our cloud competitors don't have the same problem because they have no/very-few on-prem products in the first place. So they have nothing to integrate with anyway.

    Sorry – that's just the way life is with the speed of change right now… Microosft did make a commitment to have all our prducts cloud aware – so it's coming.

    Here are the links:

    blogs.msdn.com/…/primer-federated-identity-in-a-nutshell.aspx

    blogs.msdn.com/…/single-sign-on-between-on-premise-apps-windows-azure-apps-and-office-365-services.aspx

    blogs.msdn.com/…/whiteboard-video-how-adfs-and-the-microsoft-federation-gateway-work-together-up-in-the-office-365-cloud.aspx

    blogs.msdn.com/…/the-difference-relationship-between-azure-active-directory-and-normal-active-directory.aspx

    blogs.msdn.com/…/video-screencast-complete-setup-details-for-federated-identity-access-from-on-premise-ad-to-office-365.aspx

    blogs.msdn.com/…/difference-between-an-azure-app-domain-joined-to-your-active-directory-and-an-azure-app-joined-to-your-active-directory-through-appfab-acs.aspx