Cloud Identity and Active Directory Integration in a ‘Mobile First, Cloud First’ World

Satya Nadella, Microsoft’s new CEO, has been widely covered in the news talking about Microsoft’s new strategy of ‘Mobile First, Cloud First.’  We wholeheartedly agree with this philosophy and it really shows in our Centrify User Suite, an integrated cloud, Mac and mobile offering.  In this blog post I’ll discuss some of my thoughts regarding what Microsoft offers vis a vis cloud identity and compare/contrast that to what Centrify offers.

First, let me make it clear we also wholeheartedly agree with Microsoft about the value of two key elements of their cloud strategy – Office 365, and Azure.  Azure is available to customers and ISVs as both a Platform-as-a-Service (PAAS) and Infrastructure-as-a-Service (IAAS) offering.  For Office 365, the Centrify User Suite provides significant value to Microsoft customers from a functional and ease-of-deployment perspective – which we’ll cover in more detail below.  Regarding Azure, Centrify uses Azure to power our commercial cloud and mobile solutions.  Everyone at Microsoft interested in increasing Office 365 adoption and driving more usage of Azure has an ally in Centrify.

The underlying identity store underpinning Office 365 is Microsoft Azure Active Directory, which like Azure, is also available as a cloud directory for ISVs and application developers.  You might think this is Active Directory… that’s something you already know and love, right?  Well, not exactly.  The Active Directory brand is being leveraged in the name of the product; but, Azure AD does not equal AD.  Azure AD is new and cloud-based while Active Directory is an on-premises offering and has been around for over 15 years, and remains the de facto standard directory service with over 95% penetration in Enterprise.  Since its introduction into the market in 1999, companies have invested huge sums of money in their AD infrastructure and processes to support its use.  Generally speaking, companies want to protect those investments, and they don’t want to further build out their infrastructure.

AD supports standards such as Kerberos and LDAP while Azure AD supports a different set of single sign-on protocols such as SAML.  AD provides Group Policy to manage users and computers from a policy perspective, while Azure AD does not have comparable capability to Group Policy and you have to look to a separate solution to manage computers and devices.

A key thing to remember is that Azure AD in effect represents a parallel directory infrastructure to what customers have on-premise with Active Directory.  That is, if a user has an identity inside AD, to access Office 365 they must also have an identity record inside Azure AD.   In effect you are maintaining duplicate identity stores — one on-premise and one in the cloud.   This is very similar to deploying Salesforce — the cloud app would have its own directory independent of your on-premise AD.

Recently the general availability of Azure Active Directory Premium was announced – a solution that provides password reset and group management of Azure AD users and groups respectively, as well as builds on the SaaS SSO capabilities to third party apps that Azure AD provides by adding provisioning, multi-factor authentication and reporting.  Azure AD Premium sounds on paper like a great set of capabilities in a cloud- and mobile-centric world.  And frankly it would be a good set of initial capabilities if a customer were purely a cloud-centric customer with Office 365 being the primary app the customer has and the customer did not have an on-premise AD to deal with.

The rubs with Azure AD Premium have to do with some of the points I made above about it being a separate directory infrastructure vis a vis AD and lack of policy management solutions.

Let’s talk about that first point in a bit more detail.  The reality is that in a cloud/mobile-centric world in which you have on-premise AD, to leverage Azure AD Premium as your Cloud Identity solution you actually must rely on a lot of on-premise tools.  Namely you have to rely on DirSync to sync data from AD to Azure AD, and for federated single sign-on leveraging AD you must rely on Active Directory Federation Service (ADFS).   And in more complicated environments you have to rely on Forefront Identity Manager (FIM) to replicate AD data to the cloud.

The fact is that all three of these tools have significant limitations.  In the case of ADFS and FIM, these tools were built pre-Azure/pre-Office 365, so they are in effect on-premise- vs. cloud-centric.  Take ADFS for example.  It requires at least 4-5 servers to deploy, some in the DMZ, requires ports to be poked in firewalls, etc. which is antithetical to having a cloud-centric approach.   The Centrify approach is to deliver federation services to/from AD mainly in our cloud service with a small proxy server that can be deployed in minutes on-premise to tie into AD.  Tom Kemp illustrated in painful detail the many trials and tribulations associated with ADFS here and here.  In future blog posts I will describe some of the limitations with DirSync and how Centrify does a much better job of provisioning data from AD to Azure AD.

ADFS vs. Centrify

The other side of this coin is that Azure Active Directory decidedly points customers to store identity only in Microsoft directories.   They have designed an offering that attaches customers to their platform, so if identity data is on-premises, it is in AD, if in the cloud, it is Azure AD.   This is in stark contrast to Centrify’s “identity where you want it” approach, where today we can have all identity data in AD for accessing cloud apps, so no replicating identity data to the cloud, and/or we also let you have identity data stored in our cloud directory.  Pretty soon we will be supporting additional cloud directories (including in fact Azure AD).  With Centrify, a company can store employee data in on-premises AD, contractors in Azure AD, partners in the Centrify cloud directory, and say customers’ identities in a cloud-based CRM.   This is a much more flexible and cloud friendly approach to cloud identity.

Net-net the drawbacks of Microsoft’s cloud identity offerings is that in an AD environment you have to rely on a lot of on-premise software and you must only use their identity stores/directories.

But let’s also not forget about the policy management issue I brought up above for management of devices and systems.  Again Azure AD (Standard or Premium) does not address that.  Microsoft does offer InTune, and has a marketing bundle of InTune and Azure AD Premium called Microsoft Enterprise Mobility Suite (“EMS”).

But … InTune itself has its own rubs.  It requires licenses of on-premise Systems Center and is not integrated with Azure AD from a user or IT admin perspective.  This is in stark contrast to Centrify completely bundling and integrating in from the get go both mobile and identity management.  Big difference, and not only in price, but in functionality, and being truly cloud- and mobile-centric.   More about InTune in later blogs.

As our CEO Tom Kemp said in a recent blog, we like having our vision validated by a vendor such as Microsoft.  But a cloud-first and mobile-first vision should be about delivering purely cloud-centric and mobile-centric solutions, not about requiring loads of on-premise capabilities and having solutions that are not truly integrated together.   And it should be about giving customers flexibility to have identity and policy where they want it too.  Net net is we like our position vis a vis Cloud Identity and Active Directory integration in a “mobile first, cloud first” world, and we think you will too.  But please also note that we think our end goal is in the end aligned with Microsoft’s goals … we want customers to successfully get to SaaS Apps such as Office 365 — we just think we’ve built a better mouse trap to help them get there.