Windows Azure SQL Database Marketplace
Yesterday we shared that Windows Azure Active Directory (AD) has processed 200 BILLION authentications . Today I’m excited to share some great identity-related improvements we’ve made to Windows Azure that leverage the capabilities of Windows Azure AD. The number one identity management feature that Windows Azure customers request is the ability for organizations to use their on-premise corporate identities in Windows Server Active Directory to deliver single sign-on (SSO) access to the Windows Azure Management Portal and centralized user access management. Starting today, the Windows Azure Management portal is now integrated with Windows Azure AD and supports federation with a customers on-premise Windows Server AD. In addition this integration means that the millions of Office 365 customers can use the same tenants and identities they use for Office 365 to manage sign-on and access to Windows Azure.
There are many advantages to using federation with Windows Azure. For IT professionals, it means:
For developers and operators who access the Management Portal, federation means:
Overall, federation can be used to greatly increase the security of your company’s cloud assets and intellectual property.Using your existing Organizational accounts to access Windows AzureThere are two simple sign-in methods you can use with your existing Organizational Account powered by Windows Azure AD to sign-in to Windows Azure. This includes the Organizational Account you might already use to log into Office 365.
1. Use the Windows Azure sign-in pageYou can use the standard Windows Azure sign-in page that you use to access the Windows Azure Management Portal. To sign-in with your Office 365 organizational account, click the link named Already use Office 365? as shown in the followingdiagram.2. Bypass the Windows Azure sign-in pageAlternatively, you can bypass the sign-in page prompts by adding your company’s existing federated domain name to the end of the Windows Azure Management Portal URL. For example from a domain joined machines, point your browser to https://windows.azure.com/contoso.com. If your company has setup federation with Windows Azure AD or if you are already logged into Office 365, you will be logged in to Windows Azure automatically.
To illustrate how this works, let’s use an example of a user named Andrew who works for a fictitious company named Identity365.net. The company has an existing Office 365 subscription and they’ve previously set up federation with Windows Azure AD. To access Windows Azure, Andrew logs in to his domain joined PC and types the URL for Windows Azure, but adds his company’s domain name to the end of the URL (https://windows.azure.com/identity365.net). Windows Azure AD recognizes that identity365.net is a federated domain, and silently redirects Andrew to his organization’s on-premises Active Directory Federation Service (AD FS) server. Andrew’s organization has configured their AD FS server to require multifactor authentication because they manage medical records using Windows Azure, and they must be HIPPA compliant.Andrew then inserts his smartcard and selects his name from the list above. His PC then prompts him for the smartcard PIN:
Once he enters his smartcard pin, he is automatically signed into the Management Portal. If Andrew doesn’t provide a smartcard, or uses the wrong pin, his company’s Windows Server AD FS denies him access. By default, Windows Server AD FS will show the standard HTTP 403 Forbidden response code for when improper credentials are submitted during sign-in, but this can be customized to provide a more user-friendly behavior:How federated access works with Windows AzureThe following illustrations shows how federated access works between Windows Azure AD, the Windows Azure Management Portal, Windows Server AD FS and your company’s on-premises Windows Server Active Directory:
Step 1: User logs into the local domain-joined corporate PC
The following actions occur automatically:
Step 2: User types the Windows Azure Portal with his company name
The user types http://windows.azure.com/fabrikam.com
The following actions occur automatically:
Step 3: Windows Azure AD performs look up and then redirect
The following actions then occur automatically:
Step 4: On-Premises AD FS sends authentication challenge sends SAML token
The following actions now occur automatically:
Step 5: AD FS redirects back to Windows Azure AD
Step 6: AD FS Authentication Challenge
In the final step, the following actions occur automatically:
To learn more about how you can set up single sign on between your company’s on-premises directory and Windows Azure Active Directory, click here. If your company is already using Office 365 or another Microsoft cloud servie backed by Windows Azure AD, you can immediately get started by purchasing a new Windows Azure subscription using your corporate identity. To start the purchasing process, visit http://account.windowsazure.com/yourcompanyname.com, replacing the last portion of the URL with your corporate DNS name.
I look forward to your comments, questions and feedback below!Best Regards,
Alex SimonsDirector of Program ManagementActive Directory Division