Windows Azure Active Directory: Should You Use It?

The Windows Azure Active Directory service is supposed to offer corporate customers just getting into the cloud the same kind of single sign-on identity management platform they’ve used for years with Windows Server. Does it measure up to what corporate users would expect?

Computerworld offers a full review of the developer preview version of WAAD. Jonathan Hassell, the review’s author, effectively gave the service a grade of “incomplete.” While you can’t expect something that’s effectively a beta to include everything that will be in the final version, WAAD presented a number of annoying problems that definitely need fixing before it can attract a wide share of the market.

First, you can’t even try out the service unless you sign up for a trial of Office 365, Microsoft’s cloud Office suite. The software giant does plan to let you bring up an instance of WAAD as part of your Azure subscription later on, at least.

The next problem comes in when you create an instance of Active Directory Federation Services Version 2 (ADFS2) on your company’s network, as required to use WAAD. ADFS2 acts as an intermediary between the network you have running on your work premises and the cloud. ADFS2, in its turn, calls up DirSync, a program that copies your local directory and propagates it to the cloud tenant AD instance. The problem here, though, is that DirSync is STRICTLY an intermediary.

As Hassell explains the issue, “Right now DirSync is only one-way; it goes only from on-premises to cloud. If you were to, say, create a new user on your Office 365 cloud system, that user information wouldn’t find its way down to your local directory. Equally frustrating, the users you may already have created on your cloud tenant AD instance won’t propagate down to your local directory, even upon first connection.”

Other than these problems, the tool more or less works as you would expect it to. Hassell notes that it’s best to expect the initial transfer and synchronization process to take up to 36 hours. The four times he tried it, it never took more than a few hours – but then again, the largest number of users he dealt with at one go was 122. Larger domains would certainly take longer. With ADFS2 operating only locally to handle credentialed identification, passwords never enter the cloud, which is a definite plus.

Certain questions remain. As this preview of WAAD is intended for software developers, it lacks certain bells and whistles…such as a graphical user interface. Currently, users can only administer the service with a remote session of PowerShell. Microsoft promised there would be one in the future, but Hassell thinks there may be some question as to how complete it will be. He’s also concerned as to how on-premises Group Policy will work when ported to Active Directory in the cloud; currently, Group Policy works ONLY with on-premises deployments.

Due to these and other important questions, Hassell thinks that “Windows Azure Active Directory is an interesting, but not yet compelling, addition to cloud-based directory services…But for now, unless you’re running Office 365, there’s not much with which to integrate. The cross-platform and administrative stories are simply not there yet.” Make no mistake; he thinks it’s a promising technology, and worth watching for future developments. However, “unless you’re building Azure apps right now, you can give this release a pass,” he concluded.

[gp-comments width="770" linklove="off" ]