Most business user’s first experience with the cloud is through a Software as a Service (SaaS) like Microsoft Office 365. Many times, as the business cloud presence grows, and their infrastructure becomes more balanced between cloud and on-premise, new challenges emerge. A common challenge of this integration is synchronizing a directory of users on all parts of the network. Microsoft manages the directory of users with Active Directory (AD). Most Microsoft-based networks have had an AD server on the premise that manages user identification and authentication. As connectivity outside the premise has increased through e-commerce and cloud computing, new technologies have been developed for the AD. Office 365 users, whether they realize it or not, use the AD system within Microsoft Azure. Microsoft offers this same cloud-based AD system to all Azure users as Azure AD. Before detailing a cloud-based AD strategy I will briefly review the benefits of an AD system on the corporate network.
1. Identify the Environment- AD creates a central identification and authentication across all platforms and locations of the corporate network.
2. Enable Users- AD enables users to have more of a self-service experience, less dependent on corporate IT resources. Users can also receive benefits like single sign-on (SSO) for logging on to multiple applications or services.
3. Protecting Corporate Data- Authentication is the most basic form of network security. This can verify users on a network like a passport verifies travelers entering a visiting country.
All public cloud providers provide different forms of AD, in this article I will focus on Microsoft Azure. Most administrators that consider Azure AD are concerned that it will create another complicated layer on top of the premise AD server. Actually, the opposite is true; it can offer a kind of “AD lite”. It will assist by breaking down a user’s identification into a simple field such as name, tenant, role, and password.
The same Microsoft Azure AD that is used as the directory for Office 365 is free to Azure users. However, there are premium tiers that offer additional functionality. These premium levels can offer value added features such as company branding and self-service features for users such as password reset.
By storing a business’s directory services and authentication in the public or private cloud, a business creates a secure and always available directory service. The Azure AD is completely scalable and can be integrated with other services through APIs and web based protocols. This will also allow integrations with on premise AD servers and allow single sign-on for all applications. The Azure AD can be thought of as an identification as a service.
Azure AD services can be managed directly on the Azure portal for simple configurations. More sophisticated deployments may be managed by common tools such as AD Domain Services (AD DS) Lightweight Directory Access Protocol (LDAP), and Active Directory Federation Services (AD FS).
Office 365 directory examples can provide a basic outline of how these services work. Their directories can be identified three ways: cloud only, synchronized identity, and federated identity. Cloud only is created within the Office 365 admin portal and managed behind the scenes through Azure AD. Synchronized identity accounts are created on premise with an AD server where passwords are kept in sync with the cloud. The synchronized identity method uses the cloud as its ultimate basis for the directory. The federated identity is more complex. Users are based in the on-premise directory and kept in sync with the cloud however, ultimate verification is retained by the on-premise AD services.
Cloud services benefit most IT infrastructure environments although they may also create complications. Employing a synchronize directory for all users and applications on and off the premise creates a stable foundation to identify and protect all users and data on the corporate network.
If you would like to talk more about strategies to migrate data to the cloud contact us at:
Jim Conwell (513) 227-4131 firstname.lastname@example.org
we listen first…