Although you could probably write several large tomes about cloud identity – about using, managing, and extending it – I try to keep my blogs short and sweet, aiming to demystify an Azure service and hopefully inspiring you to find out more.
I’ve previously written a series of blogs around storage, including talking about a real-life use case. So, I want to do the same, looking at identity in the Microsoft cloud.
Consider the case of Wingtip Toys (real company name obviously kept secret). They have a large internal development team that develop applications for use by the company. These applications are consumed by users from within the business, by external business partners – both large and small – and by individual contractors, and totalling over 3,000 users.
Currently authentication and authorization is done using Wingtip Toy's internal Active Directory Domain Services (ADDS.) All users, whether internal or external, exist as user objects within this directory.
This model has worked well for Wingtip Toys in the past. However, this is now presenting challenges and is restricting Wingtip’s ability to make new features available through their applications.
Wingtip Toys spends a large amount of time provisioning new users, managing password resets and disabling old user accounts. They want to be able to give users the ability to either use an existing identity, whether that's GMAIL or OUTLOOK, for example, but most importantly corporate identities when using their applications.
They also want to be able provide the ability for automated signup and self-service password reset to users.
When signing up new partners, Wingtip Toys has to ensure that they adhere to the partners’ security standards for password rollover, lifetime, complexity, etc.
Finally, the company wants to ensure that any identity model can be embraced in such a manner that it provides little to no impact on existing users when migrating to a new identity solution.
These challenges are very common in some form or another when working with Identity.
But, Azure Active Directory (AD) can solve all these challenges, and in a series of blogs I will talk about how it’s done.
So, to finish this blog, a quick intro on Azure AD:
Azure Active Directory is Microsoft's multi-tenant, cloud-based identity management service. It blurs the lines between PaaS and SaaS – you could almost say it is Identity-as-a-Service. It underpins all of the Microsoft cloud, from Azure to 365, and contains a suite of capabilities – such as, multi-factor, self-service password resets, role-based access control, monitoring and advanced security.
If you already use Office 365, then you are already using Azure Active Directory. Exchange Online is an application of Azure AD, and utilities it to authorise and authenticate users, and then programmatically accesses it for information such as group membership.
It’s important to realise that, despite the name, Azure AD is not Active Directory Domain Services, although, you can synchronise on-premises identity to Azure AD. Synchronisation will be the first tool we use to solve the challenges that Wingtip faces. From there we will look at registering applications, integration with web applications and B2B. So, check back soon for the next blog – and you can find out more about Azure AD on the Microsoft website.