Microsoft positions its ubiquitous directory service for its future in the cloud
You didn't actually think Microsoft, with deep investments in cloud services like, was standing on the sidelines in the identity-as-a-service market, did you? In a couple of blog posts over the last few days, Microsoft chief identity architect Kim Cameron and technical fellow John Shewchuk have begun sharing more information on work the company has done over the last several years on the direction of the Windows Azure Active Directory service and how it will interact with on-premises AD.
Windows Azure AD (Microsoft prefers to use this name in an effort to avoid the unfortunate "WAAD" acronym) has been around since Microsoft began offering BPOS (Business Productivity Online Services) in 2008, and it's the identity infrastructure that all of Microsoft Online Services uses. Architecturally, it's based on AD Lightweight Directory Service (LDS), but highly modified for scale and the ability to support multiple tenants in an isolated manner.
That multi-tenancy capability is not well known. Every organization that purchases Microsoft Online Services (MOS) has their own private instance of Active Directory created for them to manage their MOS identities. In his post "Reimagining Active Directory for the Social Enterprise", John emphasizes that this instance is your Active Directory service, and yours alone. "You decide who your users are, what information you keep in your directory, who can use the information and manage it, and what applications are allowed to access that information."
Historically, Windows Azure AD only supported the Windows Azure ecosystem - Office 365, CRM Online, Intune, and Windows Azure. By extension, the Windows Azure support meant that applications developed in Azure by its subscribers could also use Windows Azure AD's capabilities. What's new here is that Microsoft's identity gurus are throwing their full weight behind identity as a service, and are enhancing Windows Azure AD's support for non-Azure applications and identity providers like Google and Facebook to provide a broad single sign on (SSO) capability for its users both in the cloud and on premises. Shared identity context between cloud applications, social network integration, and mobility support are also mentioned. John states "the Windows Azure Active Directory SSO capability can be used by any application, from Microsoft or a third party running on any technology base."
Of course, a base assumption for any "Active Directory in the cloud" service is that it works seamlessly with an organization's on-premises AD installations. Well, If you're running Office 365 with the federated identity + directory synchronization option, you're already running a hybrid Active Directory where your user's on-premises AD identity is authenticated to Office 365 via federation and their accounts are provisioned or de-provisioned in your own little cloud AD via the dirsync process.
How does this enhanced Windows Azure AD compare to solutions offered by existing IdaaS vendors such as Symplified, Okta, OneLogin, PasswordBank, Ping Identity, and (just last week) Intel? After all, these vendors already enable a hybrid on-premises/cloud identity capability with your Active Directory. It's too early to tell based on two blog posts, but there are several clear similarities and differences. First, if you've been reading my articles on IDaaS you'll recognize directory sync as a standard component of practically every IDaaS vendor's connection to your on-premises AD. However, unlike other IDaaS vendors (with the exception of Ping Identity's PingOne), a hybrid on-premises AD / Windows Azure AD requires identity federation between your enterprise and its service to authenticate to applications. Microsoft would of course prefer you use AD FS as your on-premises federation solution, but I'm sure any standards-compliant federation product will do the trick.
Another aspect is maturity. As I just mentioned, the IDaaS market has a number of successful players in it already, with full-featured offerings. As a version 1.0 identity service, Windows Azure AD SSO will be pretty bare bones compared to its competitors. However, Microsoft has a distinct jump-start in that it already has an installed base of hundreds of thousands of tenants using Windows Azure AD service for Office 365, InTune, and other online services. I would expect Microsoft will make it as easy as possible for its existing customer base to begin using these SSO and future capabilities. A product with fewer capabilities than its competitors at first, but more in later versions, and "free": Recognize that pattern?
I think it's significant that, in both his Identity Blog post and a EIC 2012 keynote, Kim Cameron "predicts with certainty that almost all organizations will subscribe to identity services that are cheaper, broader in scope, and more capable than the systems of today." That's the most ringing endorsement of IDaaS I've heard so far, and from a man that knows the area better than most of us. Incidentally, Kim refers to this area as identity management as a service, and thus IDMaaS rather than IDaaS. I have to agree with him, and thus will change my nomenclature as well (though the nitpicky editor in me would prefer "IdMaaS" since "dentity" isn't a word.)
The growth of cloud identity being what it is, I certainly expect to hear more announcements and more detail in this area from Microsoft. As Cameron said in his EIC keynote, "The cloud motor runs on identity." Stay tuned!
Follow Sean on Twitter at @shorinsean.