The idea that a business computing system built by Microsoft should enable organizations to store their employees’ personally identifiable information (PII) in the cloud isn’t something likely to inspire enthusiasm.
Imagine, from the people who brought you Windows XP: Your identity, on an unknown server someplace, accessible from any device!
If we lived in the client/server world of the 1990s, this would be a truly scary thought. As it stands now, PII lives and breathes on cloud platforms anywhere and everywhere in the world. Rather than be frightened of it, the task before us now is to develop an architecture for properly securing it.
For the past few years, Microsoft has been quietly developing an identity store that’s deeper than the Microsoft Account feature that helped define Windows 8. If you’re a user of Office 365, then you're already using this new feature and you may not even know it.
It is Azure Active Directory (AD), a reconstruction of the most common and most successful authentication framework and identity repository ever made, centrally within Microsoft’s Azure cloud platform.
Its goal is single sign-on (SSO) for users to any corporate resource hosted on-premise or on a cloud platform (not necessarily Azure), for any application that already recognizes Active Directory.
Beyond Single Sign-on
Many organizations have forged their own course for enabling SSO from the Windows lock screen, and applying the authenticated identity to other SaaS apps, such as Workday, SharePoint Online, and Salesforce.
For Windows to enable this as a feature, it was necessary to retrofit Windows 10 with a standard way for a user to join an Azure AD domain using the same lock screen with which the new Hello feature authenticates users biometrically.
This is where Microsoft introduces a concept to Windows 10 called Azure AD Join. In short, it leverages Azure AD to apply the same verifiable identity obtained when the user signs on, to vouch for that user with any of several hundred major brands of SaaS applications.
In a sense, Windows can then behave as if those SaaS apps were physically installed on whatever systems have authenticated their users.
Windows 8 introduced the Microsoft Account, and the principle of cloud-based identity sharing through Microsoft was demonstrated for the first time with Office 2013 and OneDrive. That’s not exactly single sign-on, especially in the sense that it does not allow an administrator to apply access policies to the Account holder.
Historically with Windows Server, the rights and privileges of users enrolled in the company AD were administered through a single console installed on the server. With Azure AD, that console moves to the Azure portal, which is accessible from a Web browser.
Active Directory itself moves to Azure, to the same location where Office 365 accounts are being hosted now.
Azure AD presents devices with an appearance of a corporate domain. Once a device is enrolled with one, it cannot be enrolled with another AD domain simultaneously, including on-premises. Azure AD replaces on-premise AD.
This way, administrators can implement device management (formerly called MDM, but the first “M” is becoming a moot point) for any device that can access corporate resources, including SaaS applications hosted by third parties.
But perhaps more importantly, for the growing number of folks who access those resources on devices that do not run Windows 10 or 8 or 7 or 3.0, there will still be a system that manages their privileges and access levels.
“Every time you bring an application under Azure Active Directory,” said Microsoft senior product marketing manager Nasos Kladakis during the company’s Ignite conference last May, “from Twitter and Facebook to Salesforce and Google Apps, your users will be able to use your corporate credentials to access those applications.
“Great. But for Salesforce and Google Apps and Box, and the other applications,” Kladakis continued, “it’s not just logging into them. You have to create an account for these applications ... Single sign-on solves one problem: how to access those applications. What about provisioning?”
Azure AD can actually create the accounts within the SaaS providers’ native platforms, and enable access and security policies around those applications as though they were Microsoft apps. “It also creates groups, and it also respects all the roles that the applications have,” he went on.
This way, at the time an Azure AD user is created, an administrator can assign roles to that user relevant to those non-Microsoft apps enabled for that user. The provisioning process here is automated. And those roles will be recognized and activated whenever the user logs onto Windows 10.
The No-Computer People
“How many of you don’t have a laptop?” asked Windows management expert Mark Minasi during a Microsoft conference last May, to a room full of developers, most of whom had their laptops in front of them. It seemed like an odd question.
“But if we talked to your mother,” Minasi continued, “or your grandfather or your 15-year-old kid, what’s the chances that they don’t have a laptop?”
His point was this: The success of the iPad has steered the course of corporate resource access away from Windows and onto the Web. For Active Directory to remain pertinent, it has to detach itself from Windows somewhat, to become more oriented around people than machines.
“You’re going to see more and more folks becoming ‘no-computer people,’” he went on. “They’re going to be tablet people, tablets with Bluetooth keyboard people, something along those lines. Those things don’t run Windows.”
Minasi has been a respected source of Windows administrative and security training and expertise for the better part of a quarter-century. Yet he believes, even after Windows 10’s release, the number of people who don’t use devices with Windows will continue to rise.
Citing a November 2014 IDC survey that revealed that 16 percent of respondents said their organizations do not presently employ on-premise IT staffs, Minasi said, “That’s a lot, and that’s fast! Those people are never going to have Active Directories. If Microsoft doesn’t do something for these guys, somebody else is gonna.”
Cloud platforms have washed away our early notions of “domains,” since networks are no longer perceived as being comprised of computers. They’re made up of people, and people move between devices.
People today expect a more consistent degree of connectivity with their own corporate resources, wherever they go. Firewalls no longer denote the boundaries of corporations’ networks. SaaS applications exist on one side, and devices exist on another.
And more and more of these things don’t carry a Microsoft brand. Isn’t it amazing, then, that Microsoft is actually acknowledging this fact to the extent that it is, and providing for business users who live and work in a multi-branded world?