1 Introduction
Microsoft Azure Active Directory fits into a still relatively new category of products (or, more correctly, services), which best are described as Cloud IAM, where IAM stands for Identity and Access Management. Some vendors refer to this category as IDaaS, which stands for Identity as a Service. However, the latter term and some related terms are overloaded with meanings and furthermore lack the important addition of “Access Management”.
Cloud IAM in the lexicon of KuppingerCole is defined as a combination of services:
- Directory Services as Cloud services that allow management of users centrally, including capabilities such as self-registration;
- Identity Federation to federate with existing Identity Providers (IdPs) and their directories as well as to federate-out to Relying Parties (RPs) or Service Providers (SPs) such as Cloud services;
- Access Management capabilities for the services that are accessed when federating out, i.e. Cloud services and other services supporting federation standards, which might also include other forms of Web Access Management, i.e. http header injection etc.;
- Social Logins and Adaptive Authentication, supporting various types of authentication mechanisms including social logins such as via Facebook or Google+;
- Support for added functionality such as step-up authentication is also commonly found.
Not all vendors in this product category support all of these features. Still frequently lacking are highly scalable, secure directory services in the cloud. Many vendors still rely on consuming information from on-premise directory services.
The product category of Cloud IAM complements traditional on-premise IAM (Identity and Access Management) solutions such as local Directory Services, Identity Provisioning, and many others. On the other hand, particularly based on features such as the Azure Active Directory Domain Services or for specific use cases such as the management of partner and customer identities, Cloud-based identity services can also operate independently of on-premise IAM infrastructures.
The need for these new services arises from the uptake of the “Computing Troika”: Cloud Computing, Mobile Computing, and Social Computing are ubiquitous these days. Business demands the use of Cloud services in many areas, for a more rapid deployment of services and due to the fact that several types of new services are only available in this deployment model. Mobile Computing is increasingly the common way to access services. Users rely on their preferred devices and concepts such as BYOD (Bring Your Own Device) are a reality in many organizations. Social Computing, including a tighter collaboration with customers and business partners, the support for social logins, and concepts such as BYOI (Bring Your Own Identity) are the third challenge. However, even when it is not primarily about the “social” aspect of computing, IT organizations are facing the challenge of increasing business demand for business processes to interact with business partners and customers. From the IAM perspective, this requires the ability to manage not only the employees and some externals, but far more business partners and potentially millions of customers.
The changes described by the term “Computing Troika” create new challenges for IT in general and IAM in particular. Managing the identities and access of all these new users, supporting a rapid on- and off-boarding of business partners in agile businesses, self-registering customers and many new requirements raise the demand for a new model of IAM. This is what Cloud IAM delivers.
However, Cloud IAM is not the solution for every requirement. There is still a need for traditional IAM approaches in many (but not all) scenarios. On-premise IT requires other solutions, especially (but not only) when it comes to supporting legacy IT. Thus, Cloud IAM needs to be understood as an extension to the existing IT and IAM infrastructure, providing new opportunities. This is not about a “rip and replace” approach but about an evolution, where new capabilities are added to the existing IAM infrastructure for a seamless and integrated approach of managing identities and access.
Microsoft Azure Active Directory is a Cloud IAM service that is both available to customers and used by Microsoft itself as a foundation for Microsoft Azure, Microsoft Office 365, and other Microsoft cloud services. The Microsoft use cases prove the extremely good scalability of the service, which has successfully handled massive workloads for several years now.