Identity management, to cloud or not to cloud
By Ron Grattopp ….last month one of the posts I did was on the “Cloud OS”, so as part of my research for that I ran across information from some time back that I think is still relevant but not well known about our technology, so I wanted to share. This post centers around info from a couple of articles that were done about a year ago by John Shewchuk, a Microsoft Technical Fellow, entitled: Reimagining Active Directory for the Social Enterprise (a 2-part series, part 2 is here). John’s posts are on MSDN and as you might expect are pretty technical in nature and geared toward a developer audience, but feel free to read them if you like. What I want to do here is take some key points from his information and provide it to you as messaging you can use in customer conversations.
Here’s the primary message: “Active Directory (AD) and Windows Azure AD provide a powerful base for single identity across clouds to securely extend applications to people and their devices.” An identity management solution (IDMS) is a key element in access control, or how one allows or prevents access to business data and applications. No other IDMS vendor brings the level of integration across cloud and on-premises that you get with Microsoft—what this means is that I can have a local identity management service (AD) in my own datacenter serving my local infrastructure needs and use that same “Single identity” (e.g. logon) to access those (on-prem) services as well as any private or Microsoft public cloud services that I need or use. But beyond SSO you can use AD/Azure AD as a vehicle to share other information across applications, for example, any SSO-enabled app could leverage AD information about people, groups, reporting relationships, roles, contact information, printer locations, and service addresses. This can make SSO-enabled applications more relevant and rich, not to mention saving users time and effort vs using multiple logins for different apps.
Customer message #2: In case you didn’t know, Office 365 subscribers get Azure AD as part of the deal. As the reference post explains: “Each time a new organization signs up for Office 365, Microsoft automatically create a new Windows Azure Active Directory that is associated with the Office 365 account. No action is required on the part of the individual signing up.” For many smaller organizations, building and maintaining an identity management system and the associated application integration would be an IT effort beyond their capabilities and even organizations who can do that should appreciate the opportunity to make identity management easier and to broaden its reach. So Office 365 brings a built-in IDMS to the table with the following benefits (read the reference post for more detail about each of these):
- Ease of use. As alluded to above, it’s “out-of-the-box (OOB)” with Office 365, you just start adding users.
- Single sign on across applications. All the applications in Office 365—Microsoft Exchange Online, SharePoint Online, Lync Online, and Office Web Apps—work with Windows Azure Active Directory, so users get single sign on for their collaboration and communication solutions OOB. Windows Azure Active Directory SSO capability can be used by third-party applications as well (but this is not an OOB scenario).
- Shared context. Once an application establishes SSO with Windows Azure Active Directory, the application can use information in the directory, including information about people, groups, security roles, and so on. This is a great benefit for developers, but also makes an application more current and relevant, and can save users a lot of time and energy vs syncing.
- Efficient, highly available operations. Azure Active Directory costs are incorporated in Office 365 solution price, so you get highly available and robust identity management and access control services without spending an additional penny.
So, where a business used to only use “corporate apps”, be they custom or commercial (e.g. Office), and the users only had to interface (or logon and access resources) with that environment; now, and even more so in the future, users (with their devices) will also be using or wanting to use apps from the cloud. Having an IDMS technology that easily spans those environments is a key value add for the Microsoft platform and hopefully something else you can use in a customer conversation to help your customers appreciate the value they get from our platform.