Identity management in the cloud (or how to avoid the need to login every two minutes)

Many education institutions in Australia are using Active Directory for their identity management. Typically, when a new student or staff member starts, they have an account created in the Active Directory (in many cases, this is done automatically by their student management system). That then allows them to logon to their computer and the network, and also gives them permission to access specific information (for example, for the staff to be able to access network resources and software that students shouldn’t have access to).

Over the years, the ways that Active Directory is used has extended to all kinds of different scenarios, and it’s become the single source of truth in education institutions for user access and information rights. And as customers move to cloud services for some of their IT services, the Active Directory has expanded to that (for example, in my day to day life our Active Directory is used to give me access to all kinds of external and web-based services, including Office 365, Yammer, our external travel booking service and our external payslip system). It means I only login once, and don’t need to login again when I jump across to these systems.

If you’re in an institution where you have to login multiple times on different systems, then it’s time to look at identity management in the cloud. There’s two bits to the story – what the institution sets up, and what the external software developers do. I’ve covered both below, so that you can get an idea of the conversations you might have with your external software suppliers.

About identity management in the cloud

Windows Azure logoWindows Azure Active Directory is a service that provides identity and access capabilities for on-premises and cloud applications.

Microsoft cloud services today, such as Windows Intune and Office 365 for education, rely on the identity management capabilities provided by Windows Azure Active Directory. These capabilities include a cloud based store for directory data and a core set of identity services including user logon processes, authentication and federation services. In addition, organisations that subscribe to these cloud services can use Windows Azure AD to configure single sign-on to allow interoperability with their existing on-premises Active Directory environment.

Because it is your organisation’s cloud directory, you decide who your users are, what information to keep in the cloud, who can use the information or manage it, and what applications or services are allowed to access that information.

Because it’s a cloud service, when you use Windows Azure AD, it is Microsoft’s responsibility to keep Active Directory running in the cloud with high scale, high availability, and integrated disaster recovery, while fully respecting your requirements for the privacy and security of your organisation’s information.

Using Windows Azure Active Directory as a developer

Developers can use the features of Windows Azure AD to create applications and services that run in the cloud, and use the organisation’s Active Directory information to control access to the system, without users having to create another, new login identity. Developers can:

  • Implement single sign-on and single sign-off for enterprise applications and software as a service (SaaS) providers
    for example, so that users can automatically be logged into a cloud-based Learning Management System
  • Query and manage cloud directory objects, such as users and groups, by using the Graph API
    for example, you could allow a student management system to manage your Active Directory to add them to specific curriculum groups, and to update their photo that shows to staff in email and IM conversations
  • Integrate with on-premises Active Directory to sync directory data to the cloud and enable single sign-on across on-premises and cloud applications

As a highly-available and highly-scalable service of Windows Azure, Windows Azure AD can be used to manage identities at massive scale, and it enables organisations to use their credentials to authenticate to new or existing applications, factoring out the authentication process and eliminating the need for many different identities.

Integration with your on-premises Active Directory

Windows Azure AD can be used as a standalone cloud directory, but you would usually integrate your existing on-premise Active Directory with Windows Azure AD. Some of the features of integration include directory sync and single sign-on, which further extend the reach of your existing on-premises identities into the cloud for an improved admin and end user experience. Learn more about Directory synchronisation, password synchronisation and Single Sign On (SSO)

Integration with your applications

Application developers can integrate their applications with Windows Azure AD to provide single sign-on functionality for their users. This enables enterprise applications to be hosted in the cloud and to easily authenticate users with corporate credentials. It also enables software as a service (SaaS) providers to make authentication easier for users in Windows Azure AD organizations when authenticating to their services. Learn more about integrating applications in Windows Azure Active Directory, and the control that IT administrators have to add, update and remove access for apps

Some links for developers

If you’re looking to build Windows Azure AD into your application(s) for web single sign on, then here’s some links that might interest you: