As introduced and further discussed by the whitepaper Towards Identity as a Service (IDaaS) - Use cloud power to solve cloud era challenges, e.g. the introductory part of this series of documents part of the same series of documents available on the Microsoft Download Center, the cloud is changing the way in which applications are written.
Accelerated market cycles, multi-tenancy, pure cloud solutions and hybrid deployments, web programmability and the API economics, the rise of devices (smartphones, tablets, etc.) as well as rich clients as consumption models offer without any doubt new opportunities.
For consumers, social media is emerging as a key source of identity. Real world examples of this include organizations that have internet-centric business models. Consider music download sites such as Spotify that allow users to login using their Facebook identities make it far easier for users to sign up.
Furthermore, usage of social identities appears to be expanding into more conservative areas; for example, the UK government is evaluating Facebook as part of the Identity Assurance (IDA) program, a way of better enabling secure transactions between public sector bodies and citizens.
At the same time these changes present new challenges for the key services (both on-premises and in the cloud) that represent identity lifecycle management, provisioning, role management, authentication and security of users and devices requiring granular access. The net result is to propel identity to first rank of importance.
Key issues that require better identity capabilities include:
Identity becomes a service where identity "bridges" in the cloud "talk" to on-premises directories or the directories themselves move and/or are located in the cloud.
Identity, like compute, storage and networking, is an essential platform service. In the same way that identity played a critical role in the adoption of workgroup computing, identity services will play a critical role as organizations adopt the (hybrid) cloud, embracing and managing the "Bring Your Own Device" (BYOD) trend, and the API economy. Organizations (will) use cloud services and applications created by (cloud) ISVs, Platform-as-a-Service (PaaS) cloud platforms for (Line of Business (LOB)) custom development, (as well as Infrastructure-as-a-Service (IaaS) cloud environment for specific workloads to onboard the cloud for IT optimization reasons).
All of the above implies a new Identity Management model. This has to cut costs as well as deployment complexity – not increase them. Organizations need a specialized service that appropriately handles identity as well as security and privacy for them – with an increased level of specialization and professionalization adequate to emerging cyber threats. About the key understanding this leads to is how you get more capability for less money by leveraging cloud capabilities.
Kim Cameron, Microsoft Chief Identity Architect, is convinced that "organizations will find they need new identity management capabilities to take full advantage of the cloud. They will also find that the most reliable and cost-effective way to obtain these capabilities is through Identity Management as a Service – i.e. using the cloud to master the cloud."
We can therefore predict with certainty that almost all organizations will subscribe to these identity (hybrid) services. Enterprises will use these services to manage authentication and authorization of internal employees. But in the outward looking world that is emerging so quickly it will be just as important to manage access to services by an organization's supply chain, its customers (including individuals), its leads and prospects. Governments will use them when interacting with other government agencies, enterprises and citizens.
Identity Management as-a-Service (IDaaS), will directly attack these problems – simplifying life for government and enterprise service providers and their end users. Once again, by leveraging efficiencies of the cloud and automation to get efficiencies in identity, IDaaS can:
These requirements and capabilities will drive almost all organizations to subscribe to identity services that are cheaper, broader in scope, more unifying and more capable than the systems of today.
Identity Management as a Service (IDaaS) will require that we move beyond the models of identity management that have guided our thinking to date. A new service-based model will emerge combining more advanced capabilities with externalization of operations to achieve reduction in risk, effort and cost. High end security capabilities will become utilities available even to the smallest organizations, resulting in a democratization of the safe Internet.
The next sections discuss in this context the Microsoft's Identity Offerings in the hybrid era.
Microsoft has earned widespread adoption of its on-premises identity technology, a suite of capabilities packaged and branded as Windows Server Active Directory (WSAD). AD is used extensively by governments and enterprises world-wide. Its capabilities include:
Although referred to as "a directory" AD includes a wide gamut of identity services that implement (and have helped drive adoption of) many important standards. These include:
Related products like Microsoft Forefront Identity Manager (FIM) perform rule-based synchronization with many other identity stores:
FIM also provides advanced self-management capabilities based on work flows; and rule-based smart card management.
AD is used extensively by governments and enterprises world-wide. AD is widely deployed in the Global 5000 today as their authoritative identity and access management system as well as in small and medium enterprises and we will not describe it further here.
The important new information here is that to meet the requirements of hybrid deployment AD can be extended into public clouds and/or into private clouds.
Azure Active Directory (Azure AD) has been designed to easily extend AD (in whole or in part) into the public Azure cloud as a directory whose content is owned and controlled by the organization providing the information.
This will be described in the next section.
In addition, for compatibility with existing on-premises applications, it is possible to install WSAD domain controllers (DCs) within Azure data centers where they can service requests from Azure applications running there in the Infrastructure Services.
As a broad usage workload type, WSAD DCs can be deployed either standalone or as part of a larger application, with or without on-premises connectivity (to the organization's identity infrastructure).
Note Azure AD Domain Services, a cloud based service gives you a fully WSAD compatible set of API's and protocols, delivered as a managed Azure service. In other words, thanks to this new concept, you can now turn on support for all the critical directory capabilities your application and server VM's need, including Kerberos, NTLM, Group Policy and LDAP. For more information, see blog post #AzureAD Domain Services is now GA! Lift and shift to the cloud just got WAY easier! and article Azure AD Domain Services.
Azure Virtual Machines help moving (part of) your business, applications and infrastructure to the cloud without changing existing code in their own unique way, at their own unique speed.
As its name clearly indicates, Azure Virtual Machines provides support for virtual machines (VMs) provisioned from the cloud. At a glance, a VM consists of a piece of infrastructure available to deploy an operating system and an application. Specifically, this includes a persistent operating system (OS) disk, possibly some persistent data disks, and internal/external networking "glue"/connectivity to hold it all together. With these infrastructure ingredients, it enables the creation of a platform where you can take advantage of the reduced cost and ease of deployment offered by Azure. It's all the more so with the Infrastructure-as-code and Configuration-as-code advanced capabilities provided by Azure Resource Manager (ARM).
Note For more information, see article Azure Resource Manager overview.
VMs indeed give you application mobility, allowing you to move your virtual hard disks (VHDs) back and forth between on-premises and the cloud. This enables you to migrate your existing VM, to bring your own customized Windows Server or Linux images, etc. As a common virtualization file format, VHD has been adopted by hundreds of vendors and is a freely available specification covered under the Microsoft Open Specification Promise (OSP). The new version VHDX is also available as a free specification covered under the OSP.
While "migration" is a simple goal for any IaaS offering, the ultimate objective consists in being able to run the exact same on-premises applications and infrastructure or part of them in the cloud and thus enabling onboarding and off-boarding of workloads in order to improve the agility of the organization, i.e. its ability to capitalize on new opportunities and respond to changes in business demands.
Such a process might involve transferring an entire multi-VM workload, which may require virtual networks for hybrid connectivity to an on-premises deployment. (This can be seen as a cross-premises deployment.)
To mimic an on-premises deployment with a multi-VM workload as needed here, virtual networks are also required. This is where Azure Virtual Networks come into play. Azure Virtual Networks let you provision and manage virtual networks (VNET) in Azure. A VNET provides the ability to create a logical boundary and place VMs inside it. VNET also provides the capability of connecting Azure Cloud Services (VMs, web roles, and worker roles).
Azure Virtual Network provides control over the network topology, including configuration of IP addresses, routing tables and security policies. A VNET has its own private address space. The address space is IPv4 and IPv6. With Virtual Network, you can easily extend your on-premises IT environment into the cloud, much the way that you can set up and connect to a remote branch office. You have multiple options to securely connect to a Virtual Network - you can choose an IPsec VPN or a private connection using the Azure ExpressRoute service.
To synthetize, Azure Virtual Network allows you to create private network(s) of VMs in your Azure tenant environment that you can assign IP addresses to, and then optionally connect to your data center through. Using this method, you can seamlessly connect on-premises (virtual) machines to VMs running in your Azure tenant.
The above capabilities enable the support of three typical key Microsoft workloads to deploy in the cloud:
These broad workload types can be deployed either standalone or as part of a larger application, with or without on-premises connectivity.
In the specific context of this paper, Azure Virtual Machines and Azure Virtual Network enable AD in Azure a reality of today.
The fundamental requirements for deploying AD on VM(s) in Azure differ very little from deploying it in VMs (and, to some extent, physical machines) on-premises. For example, if the domains controllers that you deploy on VMs are replicas in an existing on-premises corporate domain/forest, then the Azure deployment can largely be treated in the same way as you might treat any other additional AD site. That is, subnets must be defined in AD, a site created, the subnets linked to that site, and connected to other sites using appropriate site-links. There are, however, a number of differences that are common to all Azure deployments and some that vary according to the specific deployment scenario.
Before entering this path, we strongly advise to consider the benefits provided by Azure AD Domain Services in lieu of deploying AD on VM(s).
If your assessment confirms this direction, the articles Install a new Active Directory forest on an Azure virtual network and Guidelines for Deploying Windows Server Active Directory on Azure Virtual Machines cover the fundamental differences and explained in great detail how successfully deploy and operate AD in Azure. The former deals with a standalone configuration in the cloud whereas the latter highlights the requirements for deploying AD in a hybrid scenario in which AD is partly deployed on-premises and partly deployed on VMs in Azure.
Whatever the scenario is, and as you understand, AD in Azure simply means AD running in your VMs in your Azure tenant for the best compatibility with existing applications and for hybrid applications.
AD in Azure is NOT Azure AD, a REST-based service that provides identity management and access control capabilities for modern business applications.
AD can also be deployed as the backbone of a private cloud run in any data center chosen by the organization deploying it.
This private cloud backbone can be tightly connected as an integral part of the organization's on-premises AD or be loosely coupled (through MIM synchronization for example).
Azure AD is Microsoft's vehicle for providing IDaaS capabilities in a public cloud. Microsoft's approach to IDaaS is deeply grounded in – and extends – the proven concepts of on-premises AD.
The foundational concept of on-premises AD is that the content of the directory is the property of the organization deploying it and access to and use of that content is completely under the organization's control. This is also the fundamental concept behind Azure AD.
Azure AD is NOT a monolithic directory of information belonging to Microsoft, but rather, at the time of writing, more than three million different directories belonging to and completely controlled by different organizations.
This architecture and commitment is called "multi-tenant" and great care has been provided to insulate tenants (organizations) from each other and from their service operator – Microsoft.
Furthermore, when efforts to create a new cloud based Identity Management as a Service (IDaaS) platform on Azure started a few years ago, Microsoft knew the world had changed (or was about to changed). To help you successfully bridge into the modern world of devices and cloud services, we were going to have to do a lot of things differently:
Taking all of the above as a starting point, we have re-engineered AD, to support massive scale, devices based on any operating system or architecture, modern business applications, modern protocols, high availability, and integrated disaster recovery.
Since we first talked about it in November 2011, Azure AD has shown itself to be a robust identity and access management service for Microsoft cloud services like Office 365, Dynamics 365, Intune and Azure to store user identities and other tenant properties. A number of people are (still) surprised to find out that every Office 365 customer already has an Azure AD directory.
Moreover, Azure AD is available for use by organizations who have applications running on any cloud platform or on-premises, and is offered as a service on the Azure Cloud platform (see below). Tenants can control the geographical region or regions in which their data resides.
The service operates more than 10 million of tenants and actually processes more than 1.3 billion, with a B, authentications every week. Since the release of the service, Azure AD has processed 1 trillion identity authentications. This is a real testament to the level of scale we can handle.
At a high level, Azure AD is a high availability, geo-redundant, multi-tenanted, multi-tiered cloud service that has delivered 99.99% uptime for over a year now. We run it across 32 regions around the world. Azure AD has stateless gateways, front end servers, application servers, and sync servers in all of those data centers. Azure AD also has a distributed data tier that is at the heart of our high availability strategy. Our data tier holds more than 750 million objects.
No other cloud directory offers this level of enterprise reliability or proven scale. Quoting from the report KuppingerCole Leadership Compass Cloud User and Access Management: "Looking at the Market Leadership chart, we see Microsoft being the clear leader. This is based on the fact that their Azure Active Directory on one hand shows good direct acceptance and on the other builds the foundation for widely used Microsoft Office 365. Furthermore, Microsoft has an exceptionally strong partner ecosystem."
Last year, Gartner in their Magic Quadrant (MQ) for Identity Management as a Service (IDaaS) [Gartner, June 2015] has placed Azure AD after its only first year of availability in the "Visionaries" MQ. Gartner has released their MQ for IDaaS for 2016 [Gartner June 2016] and Azure AD Premium has been placed in the "Leaders" quadrant, and positioned very strongly for our completeness of vision.
Important note The above graphic was published by Gartner, Inc. as part of the larger research document - a complimentary access is provided here- and should be evaluated in the context of the entire document. Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner's research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.
As Alex Simons, Director of Program Management, Microsoft Identity and Security Services Division, says, "we're thrilled with the result. It really validates our vision of providing a complete solution for hybrid identity and access for supporting employees, partners and customers all backed by world class security based on Microsoft's intelligent security graph. This result says a lot about our commitment in the identity and access management space but more importantly about our customers, implementation partners and ISV partners who have worked together with us. They have been awesome about sharing their time and energy every day, to make sure that the products and services we build meet their needs and are helping them position their companies to thrive in the emerging world of cloud and devices.
You might be surprised to know that Microsoft also is the only vendor in the Leader quadrant across Gartner's Magic Quadrants for IDaaS, Cloud Infrastructure as a Service (IaaS), Server Virtualization, Application Platform as a Service, Cloud Storage Services, and as a leader across the data platform and productivity services. This really shows you why customers are choosing Microsoft across the full spectrum of cloud computing – our services are well integrated and also among the best available in their individual categories.
Our effort doesn't stop here. We have a lot of hard work ahead of us and we are planning to deliver more innovative capabilities to further improve our position in the "leaders" quadrant."
Note For more information on the available Azure AD editions (Free, Basic, Premium P1 and Premium P2), see later in this document and/or the article Azure Active Directory editions.
As a cloud based directory being optimized to support modern business applications and consequently modern protocols based on http/REST, Azure AD makes it easy at either regional or global scale to:
Note Using the Azure AD support, mobile business applications can use the same easy Mobile Services authentication experience to allow employees to sign into their mobile applications with their corporate Active Directory credentials. With this feature, Azure AD is supported as an identity provider in Mobile Services alongside with the other identity providers we already support (which include Microsoft Accounts, Facebook ID, Google ID, and Twitter ID).
Note To make the configuration even easier, thousands (2797 at the time of this writing) of cloud SaaS pre-integrated applications like ADP, Concur, Google Apps, Salesforce.com and others, regardless of the public Cloud they are hosted on, are preconfigured via an application gallery with all the parameters needed to federate with them.
Single sign-on is the ability for a user to login in once and not have to re-enter their credentials each time when accessing different applications, APIs, or clouds. This represents an important part of Azure AD because it delivers a secure, yet simple and seamless way for users to connect to their resources running somewhere in the cloud.
Note The approach of using standard REST interfaces to operate over a graph containing entities (nodes) and relationships (arcs) between entities - often referred to as a graph interface - is very common on the Internet nowadays. For more information on networks and graphs, we advise you reading the book entitled Networks, Crowds, and Markets: Reasoning About a Highly Connected World published by Cambridge University Press.
Interestingly enough, you can extend the above same experience to your on-premises applications as well, because increasingly you're managing both on-premises as well as cloud-based applications. With Azure AD Application Proxy, a feature of Azure AD Premium P1 and Azure AD Premium P2 editions (see later in this document) to secure remote access to on-premises based web applications that support any of the key open standards (SAML, OAuth 2.0, Kerberos, etc.) based authentication methods, you can indeed actually bring those on-premises traditional applications such as a SharePoint site right into Azure AD.
For applications that do not support the above standards, we have partnered with Ping Identity. "The result of this collaboration is "PingAccess for Azure AD", which will be available in public preview in early 2017. Our Azure AD Premium customers will be able to use this solution to connect to 20 on-premises web applications at no additional cost. And for organizations that need to use it for more than 20 applications, a full license will be available from Ping."
You thus have a true single control plane.
For organizations who already run an on-premises identity infrastructure, Azure AD has everything needed to get your on-premises directory connected to the cloud and integrate with it.
Azure AD includes Azure AD Connect, a single and unified wizard that streamlines and automates the overall onboarding process for both directory synchronization with on-premises AD mono-forest and multi-forest environments, including password (hash of) hash synchronization (PHS), pass-through authentication (PTA) in preview or single sign-on (SSO) if you want to.
Azure AD Connect is now the one stop shop for connecting your on-premises directories to Azure AD, whether you are evaluating, piloting, or in production.
Note For more information, see article Integrating your on-premises identities with Azure Active Directory.
Azure AD Connect is the best way to connect your on-premises directory with Azure AD and Office 365. Azure AD Connect is replacing DirSync and Azure AD Sync and these two older sync engines are deprecated from April 13, 2016 reaching end of support April 13,2017.
Note Interestingly, Azure AD Connect allows upgrading or migrating your existing DirSync or Azure AD Sync deployment quickly and easily with little or no impact. For more information, see article Upgrade Windows Azure Active Directory Sync ("DirSync") and Azure Active Directory Sync ("Azure AD Sync").
Important note Customers using DirSync or Azure AD Sync will continue to synchronize after April 13, 2017 but they not be able to receive support for their synchronization tool. They must upgrade to the latest version of Azure AD Connect in order to receive support.
Important note Customers running Azure AD Connect 1.0.x.0 also received the message to upgrade to the latest version of Azure AD Connect in order to receive support. Microsoft recommends customers to stay current with Azure AD Connect releases. For a full list of fixes and improvements over the time of Azure AD Connect, see article Azure AD Connect: Version Release History.
Azure AD Connect offer a rich set of sync capabilities such as:
and, with the Azure AD Premium P1 or P2 editions, also a rich set of write-back capabilities with the ability to enable:
Note For more information, see whitepaper Azure AD & Windows 10: better Together for Work and School.
Azure AD supports integration with AD FS and other third-party security token services (STS) such Shibboleth2, PingFederate, SiteMinder, etc. to provide a (federated cross-domain) single sign-on experience for corporate users while keeping user passwords on-premises - if the "same sign-on" experience enabled by the PHS or PTA features that Azure AD Connect can enable aren't sufficient and/or don't fulfill your security requirements.
Important note In addition to the directory synchronization (single or multiple directories) and password sync, the above Azure AD Connect tool also allows to streamline the overall onboarding process for single sign-on and, as such, automatically performs the following steps: download and setup of all the prerequisites, download, setup, and/or configuration of AD FS – AD FS being the preferred STS, etc.
Note The Azure Active Directory Connect Health (Azure AD Connect Health) cloud based service in the Azure portal helps you monitor and gain insight into health, performance and login activity of your on-premises identity infrastructure. As such, it offers you the ability to view alerts, performance, usage patterns, configuration settings, enables you to maintain a reliable connection to Azure AD and much more.
The currently available release in GA not only focusses on AD FS (i.e. Azure AD Connect Health for AD FS) but also on sync to allow you to monitor and gain insights into the sync service of Azure AD Connect (i.e. Azure AD Connect Health for sync). In addition, the monitoring of the AD DS infrastructure is now available in public preview (i.e. Azure AD Connect Health for AD DS).
Azure AD Connect Health is a feature of the Azure AD Premium P1 and P2 editions (see later in this document) and represents a key part of our effort to help you monitor and secure your cloud and on-premises identity infrastructure. For more information, see article Monitor your on-premises identity infrastructure and synchronization services in the cloud.
Connecting customers' existing on-premises directories to Azure AD fully satisfies the requirements of hybrid deployments and hybrid identities in this context, and provides unified authentication and access management for both cloud and on-premises services and systems, eliminating the need to maintain new, independent cloud directories. At the end, Azure AD provides your corporate users with a seamless, same sign-on (PHS or PTA) or (federated) single sign-on experience across all your applications, while simplifying the adoption of SaaS subscriptions, as well as the development of your own modern business applications.
Note In addition to the PHS or PTA features, the seamless single sign-on (SSO) feature currently in public preview as the time of this writing allows end-users to only need to type their username and not their password to sign in to Azure AD/Office 365 or other cloud apps and services when they are on their corporate machines and connected on the organization's corporate network. The seamless SSO feature leverages the Windows Integrated Authentication (WIA) capabilities and the Kerberos protocol. For more information, see article What is Single Sign On (SSO) (preview).
Modern business applications live in an environment that includes a broad spectrum of mobile and native clients, server to server communication, and web APIs, in addition to traditional browser-and-website interactions. Thus, to address all the scenarios introduced by these applications, Azure AD, as a next generation authentication platform, is designed to address these new requirements through standard and modern http/REST protocols such as OpenID Connect, OAuth 2.0, and OData, in addition to SAML 2.0, WS-Federation, and WS-Trust.
Note The OpenID Foundation has recently launched a certification program for OpenID Connect implementations. For more information, see the article The OpenID Foundation Launches OpenID Connect Certification Program. Azure AD has successfully passed the certification and is certified as an OpenID Connect identity provider.
Having an OpenID Connect certification program provides confidence that certified implementations will "just work" together. This represents another important step on the road to widely-available secure interoperable digital identity for all the devices and applications that people use. Microsoft is proud to be a key contributor to the development of OpenID Connect and now of its certification program.
Azure AD works with any modern browser running on a laptop, tablet or mobile device and can be easily integrated into applications running on a multitude of platforms from Microsoft and 3rd parties.
Conversely, if you are a cloud ISV, you can leverage Azure AD to reach a vast user population, which includes the ever-growing user base of the Office 365.
Azure AD is the directory behind Microsoft Online Services subscriptions like Office 365, Dynamics 365, Intune, etc. and is used to store user identities and other tenant properties. Just like the on-premises AD stores the information for Exchange, SharePoint, Lync and your custom LOB Apps, Azure AD for instance stores the information for Exchange Online, SharePoint Online, Lync Online and any custom applications build in the Microsoft's cloud.
Azure AD is available in four different editions to choose from:
Note This is a free edition as being used by the above Microsoft Online Services subscriptions such as Office 365 in the context of this paper. If you've already subscribed to a paid Office 365 subscription, you can benefit from an Azure $0 subscription that you can use to access the Azure portal with your existing Office 365 subscription to directly manage the related Azure AD tenant; to do so you can sign-up for this $0 subscription by following the link https://account.windowsazure.com/PremiumOffer/Index?offer=MS-AZR-0110P&whr=azure.com.
Note Independently of any Microsoft Online Services subscriptions, you can sign-up for your free Windows AD tenant and trial Azure account by following the link https://account.windowsazure.com/signup?offer=MS-AZR-0044P.
Note For more information, see blog post Azure Active Directory Basic is now GA!.
Note To sign up and start using the Premium editions, see article What is Microsoft Azure Active Directory licensing?.
Note For a description of each edition below and a comparison table, see article Azure Active Directory editions. For more information on usage model, see article Azure Active Directory Pricing. For information on the usage constraints and other service limits for the Azure AD service per edition, see article Azure subscription and service limits, quotas, and constraints.
The above editions are part of the Microsoft Enterprise Mobility + Security (EMS) (formerly Enterprise Mobility Suite) E3 respectively E5 offerings, which represents comprehensive and cost effective solutions for enterprise mobility needs.
Note For more information on the EMS offerings, see blog post Introducing Enterprise Mobility + Security.
Note The EMS offerings are not only available with an Enterprise Agreement (EA) but also through the Microsoft's Cloud Solution Provider (CSP) and Open programs. For more information, see the blog post Azure AD and Enterprise Mobility Suite now available without an Enterprise Agreement.
Furthermore, global administrators of a Azure AD (Premium) tenant can optionally choose to enable the Multi-Factor Authentication support in Azure AD Premium P1 and Azure AD Premium P2 editions to require theirs employees to use a second-form of authentication when logging into the Cloud based and SaaS applications declared in the directory tenant (e.g. a mobile phone app, an automated phone call, or text message challenge) to enable even more secure identity access, and to protect the organization's identity data in the cloud.
Interestingly enough, the Multi-Factor Authentication service composes really nice with the SaaS support you can literally set up secure support for any pre-integrated SaaS application (complete with multi-factor authentication support) to your entire organization within minutes.
Note Multi-Factor Authentication for Office 365 helps secure access to Office 365 applications at no additional cost.
The above offerings largely target the identity management (IDM) of employees and their devices to access the organization's resources.
One of the new capabilities we are engineering in Azure AD is the ability to extend an organization's IDM services for business-to-employees (B2E) to encompass all the people who interact with its applications and resources accessible online, but who are not directly members of the organization itself.
We will refer to these people as "external identities". Since consumers and partners are chief amongst them, we are introducing two new Azure AD IDaaS capabilities/offerings for addressing them:
Note The word "consumer" is used here to refer to the ultimate consumer, customer, client, citizen, retiree, or a supporter of a business, government or charity, someone who is acting as an individual, and not as a representative of an organization.
While much of the technology of Azure AD must remain the same (e.g. directory), the IDM of employees, the IDM of business partners, and the IDM of the individual consumers have all many different requirements – thus the need for technologies that interact but are honed to specific problems. To master these requirements, Microsoft has worked closely with a number of customers in private previews. Some of the private preview deployments are already fully in production.
Azure AD B2B collaboration helps improve security while simplifying the management of partner access to resources, including SaaS applications such as Office 365, Salesforce, Dropbox, Workday, etc., and other mobile, cloud, and on-premises claims-aware applications. An email-verified process allows partners of all sizes, with or without an existing Azure AD subscription, to manage their accounts and get single sign on (SSO) access to the line-of-business (LOB) applications you provide. This improves security as users lose access when they leave the partner organization, while you control access policies within your organization. This also simplifies administration as you don't need to manage an external partner directory or per partner federation relationships. These capabilities can be used with on the available Azure AD editions, and as part of the Microsoft Enterprise Mobility + Security (EMS).
Azure AD B2C is a new comprehensive, cloud-based, consumer identity and access management solution currently for your consumer-facing applications, that can be integrated in any platform, and accessible from any device. Azure AD B2C is a highly available global service that can support hundreds of millions of consumer identities. Azure AD B2C gives individual consumer a choice between "Bringing their own Identities" (BYOI) by using one of their existing social accounts, such as Facebook, Google+, Amazon, or LinkedIn or Microsoft Account), or creating a new local account (arbitrary email address / username with password).
All the above offerings and options allow to accommodate many different requirements – thus the need for B2B and B2C technologies that interact but are honed to specific problems. In fact, Azure AD, Azure AD B2B collaboration and Azure AD B2C can be thought of as a continuum, so approaches need to be able to be mixed and deployed flexibly.
Azure AD is a comprehensive identity and access management cloud solution, utilizing the enterprise-grade quality and proven capabilities of AD on-premises. It combines core directory services, advanced identity governance, security and application access management.
It offers capabilities that can be leveraged to centralize the identity management needs of your solutions, and SaaS subscriptions, whether they are cloud-based, hybrid, or even on-premises. Azure AD is a complete offering that can help you to take advantage of your on-premises existing investment, to fully outsource to the cloud your users (and devices) management and anything in between. For enterprises with more demanding needs an advanced offering, Azure AD Basic, Azure AD Premium P1, and Azure AD Premium P2 help complete the set of capabilities that this identity and access management solution delivers.
As part of the same series of documents on Azure AD available on the Microsoft Download Center, the whitepaper An overview of Azure Active Directory further presents these three editions (i.e. Free, Basic, and Premium) of Azure AD.
In addition, the whitepaper Introducing Azure Active Directory B2B presents the new feature Azure AD B2B collaboration that can be used with on the above editions to embrace identity management (IDM) of partner and supply chains, and manage Business-to-Business collaboration.
Similarly, the whitepaper An overview of Azure Active Directory B2C presents the new service for Business-to-Consumer: Azure AD B2C to embrace identity management (IDM) of individual consumers.
The whitepaper Azure AD & Windows 10: Better Together for Work or School introduces how Windows 10 Pro, Windows 10 Enterprise editions, and Windows 10 Education will enable a device to connect to your Azure AD tenancy to seamlessly access SaaS applications in the cloud and traditional applications on-premises, and all of that without needing the traditional WSAD domains on-premises if you want to. It depicts the related experiences whether you are cloud-only, hybrid or have an on-premises AD infrastructure as well as how to enable them.
The whitepaper Azure AD/Office 365 seamless sign-in in seven parts (Part 1, Part 2, Part 3, Part 4/Part 4bis, Part 5, Part 6, and Part 7) provides an understanding of:
This whitepaper now supersedes the previously available whitepaper Azure AD/Office 365 single sign-on with AD FS in Windows Server 2012 R2 in two parts (Part 1 and Part 2/Part 2bis) that now should be considered as deprecated in this series of documents and will be retired in a near future: some other whitepapers still have a dependency on it.
Likewise, the whitepaper Azure AD/Office 365 single sign-on with Shibboleth 2 provides an understanding of how to enable single sign-on using corporate LDAP-based directory credentials and Shibboleth 2 with the SAML 2.0 protocol to Azure AD/Office 365, and the different configuration elements to be aware of for such deployment. It also provides an end-to-end walkthrough of the related setup and configuration.
The whitepaper Leverage Multi-Factor Authentication with Azure AD covers the Azure Multi-Factor Authentication paid offering and how to leverage it with Azure AD (Premium P1 and Premium P2).
As an addition to the aforementioned whitepaper Leverage Azure Multi-Factor Authentication with Azure AD, and for an organization that is federated with Azure AD, the whitepaper Leverage Multi-Factor Authentication Server for Azure AD single sign-on with AD FS aims at describing how to use Azure Multi-Factor Authentication Server and to configure it to secure cloud resources such as Office 365 so that so that federated users will be prompted to set up additional verification the next time they sign in on-premises. In order not to "reinvent the wheels", this document leverages the instrumented Azure Service Manager (ASM) based walkthrough provided in the Part 2bis of the above (deprecated) whitepaper Azure AD/Office 365 Single Sign-On with AD FS in Windows Server 2012 R2. A new version will be available soon to leverage the ARM based configuration of the whitepaper Azure AD/Office 365 Seamless Sign-in in lieu of the above classic ASM based one.
Finally, Azure AD also offers to developers and cloud ISVs an identity management platform to deliver access control to their modern business applications, based on centralized policy and rules. The whitepaper Leverage Azure AD for modern Business Applications further presents the aspects that relates to the development of solutions with the current app model and the next generation one's with the app model v2.0 in preview.