At Build 2016 last week, Vittorio Bertucci, Program Manager at Microsoft presented a session titled, “Microsoft Identity: State of the Union and Future Directions”. https://channel9.msdn.com/Events/Build/2016/B868
Most Identity conversations usually discuss Forests, Domains, and Active Directory Administration. This talk is for developers and Vittorio makes that clear in a very humorous way from the beginning.
Microsoft’s vision statement is “To be the BEST Identity system for ALL developers”, which encompasses three key pillars:
- Reaches the audience you want
- Great fundamentals – it must be secure, available, geo-replicated, respect privacy, and have a great user experience
- Works great with your solution
We take you through 10 best practices, considerations, and suggestions that can enrich your Microsoft Teams deployment and ensure both end-user adoption and engagement.
To help understand the problem, we need to understand what types of identity systems currently exist. It’s broken down into 2 primary channels – Organization and Individuals. Vittorio’s slide below does a great job of summarizing:
- Organizations (top to bottom):
- Cloud Directories
- Federation Capable IDP’s
- Active Directory
- On Premises Directories
- Local Accounts
- Emerging IDP’s
- OpenID Connect Capable IDP’s
- Established Social IDP’s
Microsoft cares about all of these various types of providers. For some, a solution exists today; for others, Microsoft is working on a solution. According to Vittorio, they are committed to addressing all of them.
The importance of strong fundamentals…
- Constantly evolving, enterprise grade security.
- High scale, availability, performance, disaster recovery, compliance, geo replication
- Privacy features, locality, sovereign clouds
- Affordable, pay as you go
Vittorio discussed each of these in detail, but they are really self-explanatory. We all know how important security is. You don’t want to have your identity security compromised.
Finally on the key pillars, what does it mean to “work great with your solution”?
First, the solution must use open protocols. If you go out and create your own protocol that no one knows about, it won’t be compatible with any other system. Second, it must have great artifacts for your OS and dev stack – which really means documentation. You must be able to find detailed information about the solution for proper implementation. Next, it must have great management and lifecycle features. Finally, it must have a great user experience.
How do we get there?
On-premises Active Directory has been available since 1999 and is the most widely used business identity solution. AD also has federation capabilities through AD FS, which allows your identity solution to authenticate trusted users from third parties.
What happens when you move your app to the cloud? On-premises AD FS can still support authentication, but it can’t tell you more information about the user you may be interested in. For instance, what groups are they a member of or who is their manager. Also, AD FS has serious scale limitations. Each third-party must maintain their own AD FS infrastructure and you must connect to each one individually. That’s a problem if you wish to have tens or hundreds of thousands of customers.
How do we solve these problems? Enter Azure Active Directory. Microsoft faced the very same problems when designing Office 365. So they came up with the idea of IDaaS – Identity as a Service. This streamline’s the ability to stand up cloud workloads. It uses open authentication and authorization standards. And Azure AD Sync allows you to project your On-premises AD to the cloud.
Azure AD Fundamentals
Microsoft has built 30 data centers around the world, 22 in production and 8 announced. This is more than the next 2 competitors combined. I heard this stat a number of times at Build. Simply stated, Azure AD is the most available, scalable, and geo replicated solution on the market capable of supporting the world’s largest enterprises.
Azure AD provided intelligent, ever evolving security. I first heard about Microsoft’s Advanced Threat Analytics last year at the Ignite Conference. It’s really advanced technology. If a user logs in from Chicago at 1:38pm and the same user tries to authenticate from Hong Kong at 3:45pm, then Azure AD will block the second authentication request. The ATA knows this must be a hacking attempt as a user cannot physically be in Chicago and Hong Kong on the same day. Microsoft also has a team that watches black markets for identities that are being sold. If you lose your identity, Microsoft will notify you that it has been compromised. Very cool!
Azure AD also provides geo replication and disaster recovery natively. In addition, it provides data sovereignty capabilities for regions such as Germany where data privacy laws are very strict. Azure AD works on any device or platform, including Android, iOS, Java, Ruby, etc. Finally, Microsoft offers a free tier which makes the solution ultra affordable for every use case.
Now what happens if we want to connect to more IDP’s or have more control? Enter Azure AD B2C. This solution allows you to white label an authentication solution. It runs on the same infrastructure as Azure AD, which is scalable, secure, provides Multi-factor Authentication support, and has open protocol integration. It allows you to connect with local accounts, social providers, and has email verification. And it provides a fully customizable user experience. Azure AD B2C is your one-stop-shop solution if you want to accept Microsoft Service Accounts, Google Plus, Facebook, Amazon, or LinkedIn accounts.
What happens if you want to include organization accounts to Azure AD B2C? You wouldn’t want to have 2 sets of code, one for organizational accounts (commercial) and one for individual accounts (consumer). That would be too much work, no one likes to support 2 of something. So Microsoft has just announced the unification of Azure AD and the Microsoft Service Account (MSA).
This unification provides 1 registration portal, 1 endpoint and protocol conventions, and 1 set of libraries (new and improved)! Microsoft recently went through this with the Microsoft Graph API. If you are familiar with some of those legacy challenges, you’ll get this analogy. Now the same has been done with identity and Microsoft is providing the new Microsoft Identity Library (MSAL).
Great session, Vittorio! I hope you all found something useful from this session. Azure AD and B2C are great emerging technologies that can help fuel your Digital Cloud Transformation.