As businesses of all sizes continue to embrace cloud computing solutions in order to enhance their existing on-premises IT infrastructures, the problem of keeping users productive while safeguarding business data is becoming increasingly more challenging. For datacenter-centric environments built upon the proven solution of Microsoft Active Directory, user authentication, authorization and access (AAA) to resources were safely in the hands of the administrator. But when cloud-based solutions like Microsoft Azure and Office 365 are added to the mix along with openness to the new BYOD (bring your own device) paradigm so treasured by the millennial generation, ensuring proper authentication and maintaining control of disparate resource access stored both locally and in the cloud can quickly become a headache for administrators whose mindset is still locked in the traditional datacenter approach to IT.
The solution to such challenges is to implement some form of hybrid identity solution that can make it easy to manage identity and resource access from the datacenter into the cloud. To help us understand Microsoft’s approach to solving the hybrid identity problem, I recently interviewed Sander Berkouwer who is a passionate Dutch IT Professional with over fifteen years of experience with projects in large IT environments. Sander is also a contributing blogger at DirTeam.com, 4Sysops.com and ServerCore.Net. Since 2009, Microsoft has awarded Sander with the Most Valuable Professional (MVP) award on Directory Services, and more recently on Enterprise Mobility. Sander works at SCCT as their senior consultant on Identity and Access Management (IAM).
MITCH: Sander let’s start off with some basics. What exactly is the concept of “hybrid identity” about and why is it something IT pros need to learn about today?
Sander: Hi Mitch. Hybrid Identity, to me, is about having one identity to access both on-premise resources, like applications, services and systems, and cloud resources. When admins configure hybrid identity, their colleagues can access all of these resources with Single Sign-On and/or Same Sign-On (both abbreviated to SSO), while they, themselves, regain an overview and even control over the security, compliancy and reporting aspects of this hybrid computing world many organizations already live in today. On top of that, when organizations embrace Microsoft’s Hybrid Identity vision, they can benefit from many of Microsoft’s unique and Azure-based security and self-service features, like Azure MFA. Ironically, many organizations talk about hybrid identity as extending their on-premise identity to the cloud, but many of the business cases I see today are the other way around.
MITCH: What’s included in Microsoft’s hybrid identity offering? I’m assuming there are several components in their solution and that not every organization will need to implement all of them.
Sander: That’s a good question! From a bird’s-eye view, Microsoft’s Hybrid Identity offering consists of an on-premise Identity Provider, Azure Active Directory and then, as the third component, all the cloud resources you can integrate, or are already integrated with Azure Active Directory, like Microsoft Office 365; today’s most popular cloud service, and Microsoft Intune.
Now let’s zoom in: In most environments I’ve encountered, the on-premise identity provider is Windows Server Active Directory Domain Services, but Microsoft also offers native support for LDAPv3 identity stores. Between Active Directory on-premise and Azure Active Directory, Microsoft offers its free Azure AD Connect tool for sync purposes and Active Directory Federation Services (AD FS) for authentication purposes. Of course, you can use your own sync solution as an alternative to Azure AD Connect, other federation solutions or even no federation solution at all.
Azure Active Directory acts as an ‘identity bridge’ to cloud resources and, today, in its premium license meets most of the identity management-as-a-service needs of even the most demanding enterprises: granular authorization, privileged identity management, auditing, health monitoring, (anomaly) reporting, identity protection, identity risk management, multi-factor authentication, B2B and B2C capabilities, self-service functionality, a financially backed 99,9% SLA and all the open identity protocols that have been developed for the Internet in the past decade (WS-FED, SAML, OAuth, OpenID Connect, SCIM).
Being a developer-focused company, Microsoft plugs in all of its own cloud services and applications into Azure Active Directory. Its Bring-Your-Own-App possibilities with Azure Active Directory, and support for the open identity protocols above, combined with the constant evangelism to get developers worldwide to use them too, through free libraries like ADAL, makes Azure Active Directory offer Single Sign-On to over 2600 apps, today. For all these apps, Microsoft offers a personalized and familiar interface to access them.
For organizations with on-premise identities and a cloud focus, it makes perfect sense to adopt this approach, but not all organizations work that way. For instance, universities have adopted a model where their students have free online-only accounts in Azure Active Directory. Yet, even for them the model works, because Azure AD offers provisioning of these kinds of identities and access for them to both cloud resources and on-premise resources, too, turning the tables on the entire Hybrid Identity model. And I’m not even talking about Azure Active Directory Domain Services, yet, which is really mind-blowing in this context, but currently only in preview.
MITCH: So what’s Azure Active Directory Domain Services about then? How does it compare or differ from Azure Active Directory? And what niche was it designed to fill that AD DS and Azure AD don’t fill?
Sander: When I first heard of Azure Active Directory Domain Services it blew my mind! Imagine you’re a multi-national company that has been operating for several years and, thus, has heavily invested into on-premise systems, services and applications. Of course, everything on-premise is SSO-enabled, based on familiar protocols like Kerberos, LDAP, and perhaps even some NTLM.
Now, someone comes in and tells you to say goodbye to your datacenters. IaaS is the future, apparently. Now, how would you lift and shift that entire on-premise investment to Azure IaaS? Granted, the networking stuff is pretty straightforward, but what about authentication and authorization? All the governance you’ve perfected over the years? This is where Azure Active Directory Domain Services steps up the plate. Based on the same synchronization mechanisms in Azure AD Connect, you can create smoke-and-mirrors Domain Controllers on an Azure IaaS-based virtual network, offering the same familiar protocols; not with an ordinary ntds.dit as the database, but with Azure Active Directory as the database. And as-a-service; Microsoft will scale the ‘Domain Controllers’ and ‘DNS Servers’ for you. Using your favorite migration tooling you can now take your systems and migrate them seamlessly to Azure IaaS; physical ones, Hyper-V-based ones, even VMware vSphere-based systems.
While it sounds like science-fiction, and surely, there are caveats, the way this offering blew my mind is that with Azure Active Directory Domain Services, good-old Windows Server Active Directory Domain Services, that we’ve loved, cherished and managed for the better part of the last two decades, now suddenly is legacy: Azure Active Directory can do Active Directory bigger, better, faster, stronger than on-premises Active Directory. It’s a brave new world!
MITCH: That’s pretty amazing! Are there any caveats though with using only Azure AD DS for user/computer authentication? Do you still need a local DC on-premises for AAA in case your organization’s internet connection goes down? Some businesses are still reluctant to move everything into the cloud because of the single-point-of-failure their internet line represents.
Sander: It’s relatively easy to point to caveats with Azure Active Directory Domain Services, because it is currently in preview. The team at Microsoft has laid the groundwork as much they could and are asking for feedback on areas to improve. Of course, these improvements may or may not come, depending on the resources available to the team, in the future.
I see many people discussing the ‘Group Policy’ feature (that only allows one policy and offers limited settings, compared to the Group Policies feature in Active Directory Domain Services) and the fact that you can only have the ‘smoke and mirror’ Domain Controllers on one old-style Azure Service Management (ASM)-based network.
Something that I’ve been more concerned with, is the NTLM functionality of Azure Active Directory Domain Services, offered by default by the ‘smoke and mirror’ Domain Controllers. While I see the benefit of offering this legacy protocol, I feel it’s a pity that the NTLM endpoint can’t be switched off centrally, to avoid having it exposed when unneeded. Going one step further, I feel the NTLM endpoints for Azure Active Directory Domain Services should be disabled by default.
Another thing some of us noticed was that enabling Azure Active Directory Domain Services (through the Azure management website) changed the information synchronized by Azure AD Connect to include the synchronization of the original NTHashes that live in connected Active Directory environment. For the (delegated) Azure AD Connect admin, this poses a challenge, because the only way to not synchronize these hashes, alongside the new OrgID-hashes, is to disable password synchronization altogether (not synchronizing them from Active Directory into Azure AD Connect’s metaverse).
Now, on to organizational reluctance to go to the cloud. Many organizations keep Domain Controllers on-premise, but I don’t feel the Internet connection is the main reason here. Unless your organization resides in Australia or South Africa, I believe a second Internet connection is an easy hurdle to overcome, combined with a second router, second location and Azure’s Traffic Manager (for instance), a redundant Internet Connection is within reach.
The next hurdle, like always, is harder to overcome; it requires organizations to think about governance and, thus, processes. No wonder many organizations are reluctant to ‘move everything into the cloud’. Their classifications, associated countermeasures and processes make it a project; an expensive, time-consuming and technologically challenging project. On the other hand, you could justify moving servers to Azure IaaS to shorten the chain of components and improve on availability. I’ve heard some Exchange Server masters make that specific case for Azure AD Connect. I guess it boils down to the different requirements different organizations have.
MITCH: Those are some excellent observations, thanks! But let’s step away from Azure Active Directory Domain Services for now since it’s still in preview and get back to the subject of Microsoft’s current hybrid identity offering i.e. their on-premise Identity Provider, Azure Active Directory, the Azure AD Connect tool, AD FS and so on. Generally speaking what are some of the technical challenges you’ve experienced with companies that have tried to “hybridize” their existing enterprise infrastructures with these various offerings?
Sander: I feel Microsoft has done a great job with supporting organization by providing IdFix for free. This tool scans many objects and their attributes in the on-premises Active Directory, so organizations can get them fixed before going hybrid with their identities. The documentation clearly points to this tool, but unfortunately not everyone uses it, and unfortunately, IdFix doesn’t detect or show everything, either. For instance, it doesn’t report on the limits of Azure Active Directory, while people sometimes hit them. This is one of the things that I’ve blogged about, as part of a series on checks I feel every organization should perform before departing on their Hybrid Cloud journey. I’m helping a lot of organizations on these journeys.
MITCH: How about if we finish off our interview by asking you to share a bit of your own background in IT? Also tell us some more about yourself, for example your hobbies and interests.
Sander: I studied at the technical university in Delft from 1995 to 2000. I started my first job in IT in 2000, after being involved in some scenes at university building our own PCs and managing several different OSs. Quickly I started training colleagues and striving for more Microsoft engagement; My first employer became a Microsoft Gold Partner in 2005. By then, I wanted to share my experiences more broadly and started blogging and speaking. Little did I know I would end up with eight MVP awards, already, a career on the side as an international speaker and even this interview!
When I’m not working, speaking, blogging, learning, travelling or otherwise involved in technology (that counts as a passion, I guess), I like to enjoy time with my loving wife and daughter at home. Luckily, my daughter enjoys the same level of creativity and love of Lego.
MITCH: Sander thank you very much for sharing some of your valuable time with our readers here on WindowsNetworking.com!
Sander: My pleasure. Thank you!