With Azure Active Directory, Microsoft wants to be the meta ID hub

With Azure Active Directory, Microsoft wants to be the meta ID hub

Summary: A soon-to-be-delivered preview of a Windows Azure Active Directory update will include integration with Google and Facebook identity providers.


Microsoft isn't just reimagining Windows and reimaginging tablets. It's also reimagining Active Directory in the form of the recently (officially) unveiled Windows Azure Active Directory (WAAD).

In a June 19 blog post that largely got lost among the Microsoft Surface shuffle last week, Microsoft Technical Fellow John Shewchuk delivered the promised Part 2 of Microsoft's overall vision for WAAD.

WAAD is the cloud complement to Microsoft's Active Directory directory service. Here's more about Microsoft's thinking about WAAD, based on the first of Shewchuk's posts. It already is being used by Office 365, Windows InTune and Windows Azure. Microsoft's goal is to convince non-Microsoft businesses and product teams to use WAAD, too.

This is how the identity-management world looks today, in the WAAD team's view:

And this is the ideal and brave new world they want to see, going forward.

WAAD is the center of the universe in this scenario (something with which some of Microsoft's competitors unsurprisingly have problem).

How is Microsoft proposing to go from A to B? Shewchuk explains:

"(W)e currently support WS-Federation to enable SSO (single sign-on) between the application and the directory. We also see the SAML/P, OAuth 2, and OpenID Connect protocols as a strategic focus and will be increasing support for these protocols. Because integration with applications occurs over standard protocols, this SSO capability is available to any application running on any technology stack...

"Because Windows Azure Active Directory integrates with both consumer-focused and enterprise-focused identity providers, developers can easily support many new scenarios—such as managing customer or partner access to information—all using the same Active Directory–based approach that traditionally has been used for organizations’ internal identities."

Microsoft execs are sharing more information and conducting sessions about WAAD at TechEd Europe, which kicks off on June 25 in Amsterdam.

Microsoft announced the developer preview for WAAD on June 7. This preview includes two capabilities that are not currently in WAAD as it exists today, Shewchuk noted. The two: 1. The ability to connect and use information in the directory through a REST interface; 2. The ability for third-party developers to connect to the SSO the way Microsoft's own apps do.

The preview also will "include support for integration with consumer-oriented Internet identity providers such as Google and Facebook, and the ability to support Active Directory in deployments that span the cloud and enterprise through synchronization technology," he blogged.

Shewchuk said the WAAD developer preview should be available "soon."

Update: In spite of what the Microsoft diagram seems to indicate, the Softies say they are not positioning WAAD as a hub. A new and improved diagram is in the works that will make it clearer that in Microsoft's updated identity vision "there is no hub; there is no center."

Topics: Microsoft, Enterprise Software, Operating Systems, Security, Software, Windows


Mary Jo has covered the tech industry for 30 years for a variety of publications and Web sites, and is a frequent guest on radio, TV and podcasts, speaking about all things Microsoft-related. She is the author of Microsoft 2.0: How Microsoft plans to stay relevant in the post-Gates era (John Wiley & Sons, 2008).

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Microsoft as sole keeper of my ID?

    Hell no, I'd rather not use the web, than turn my information over to the Evil that resides in Redmond.If a service uses WAAD, then I'll find a service that uses the superior Non Microsoft software.
    Jumpin Jack Flash
    • There's that, but more importantly

      They're thinking that setting themselves up as a single point of failure is a good idea. I wonder if there are older, wiser, dead people turning in their graves at the thought of this "let's make a bigger impending disaster."

      Mind you, there's governments that would probably start to wonder about this proposal; for all sorts of reasons and some of them probably not that helpful to your average company or punter.
    • I guess you did not read the article

      WAAD enables federation with external directory services. Microsoft would not be the sole keeper of your ID, in fact Microsoft would not know your ID at all.
      Your Non Advocate
      • Prove it

        I know that a fanboy Zealot, such as yourself, can't ever picture your heroes ever doing something wrong. The simple truth is Microsoft has a nefarious plan, which involves gaining a tax on every online transaction. I will resist giving a known Predatory Monopolist any personal information. Luckily no one near me has one of those dreadful Windows Phone devices, So I am safer than you'll ever be. As Microsoft has been harvesting your data for over a decade, and I've avoided giving them info at every turn.
        Jumpin Jack Flash
      • Prove it? That's how federation works

        I know that you are an ABM zealout. The simple truth is that is how the technology works. You already freely give your information to the known predatory monopolist Google. Google needs this information about you because you are the product that they sell to their customers - advertising companies. Microsoft is providing functionality where that level of information is not necessary to communicate with social networks, business partners and customers.
        Your Non Advocate
      • @Jack

        I recommend you go <a href='http://www.identityblog.com/?p=1219'>read Kim Cameron's comments</a> about this article and about the inaccuracy of the diagrams. They're working on a better diagram that more accurately represents the reality of the federated Identity Metasystem wherein there is no center.

    • deleted

  • What does this means for developers

    Today Windows Azure Access Control Service (in the future to be merged with WAAD) allows you to authenticate with Google and Facebook and enterprise identity providers like ADFS. So there isn't much new in that regards. What is new is the ability to project your AD to the cloud and the REST Graph API. That opens a lot of interesting scenarios.

    if a critical mass of enterprises effectively adopt this and project their AD to the cloud, this will:
    [*] Enable secure and standard-based collaboration (SAML, WS-Fed, OAuth, etc.).
    [*] Create a trust framework between enterprises (think about company A WAAD trusting company B WAAD).
    [*] Enable a better user experience for the end user by relying on their corporate credentials to login to apps (less users and passwords).
    [*] Allow for a better user experience by querying the graph API to handle federated authorization
    [*] Allow for unthinkable scenarios by mining directories using the Graph API

    For those who are more techie, I wrote an article about WAAD that explains things from a technical point of view

    • Thanks for your post and blog

      It looks good. Well said.
      Your Non Advocate
    • Will WAAD not create a single point of failure by its implementation?

      @Matias with Auth10

      Q: I'm not questioning the statement that Microsoft will NOT be the sole keeper of data or even implying that there is some deliberate plan for a take over of the global WAN. What I am curious about with regards to WAAD is this, is it not true that moving to the WAAD system will create a system in which a single point of action (i.e. failure) will exist wher as now the system is more distributed and therefore more difficult to take some action against?

      Also, do you not have a vested interest thru Auth10, in the implementation of anything Cloud based?

      Thank you

      DISLCAIMER (mainly for commentors like "facebook@..." who seem to go off on anyone criticising Microsoft): I am not nor have I ever been an ABMS (Anyone but Microsoft) follower nor an ABG (Anyone but google) follower. The fact is the more players the better for us the users.
      • "shared" is not the same as "central"


        Yes, Auth10 works with WAAD as well with ADFS (for on premises deployment) or even other "federation hubs" like Ping's. I am interested in the success of WAAD but more interested in the adoption of federated identity in the industry. I think the diagram with WAAD at the center of the universe is misleading. A more realistic diagram would include Google Apps, Facebook, Ping, ADFS, etc. It's a federation and each company chooses what federation hub and identity provider for its employees will use. The mesh will include apps on different platforms deployed on cloud, mobile, on-premises and identity providers of all kinds, WAAD being one of them.

        Kim Cameron wrote about this as well:
        Shared is not the same as Central. For the Windows Azure AD team the shared directory is not THE hub or THE center. There is no one center any more in our multi-centered world. We are not building a monolithic, world-wide directory. We are instead consciously operating a directory service that contains hundreds of thousands of directories that are actually owned by individual enterprises, startups and government organizations. These directories are each under the control of their data owner, and are completely independent until their data owner decides to share something with someone else
        source: http://www.identityblog.com/?p=1219

      • @BCC

        What is described above is NOT a single point of identity ownership nor a single point of failure. It describes a federation of identity providers who can securely exchange tokens and claims.

        WAAD is simply a tool that can be used to more easily manage and control the list of identity providers an organization is willing to federate with.

        WAAD does not, for example, import your Facebook or GMail identity - those identities are still owned by the respective identity providers (Facebook and Google, respectively).

        What WAAD *does* do is it does allow an enterprise admin to manage and configure his/her enterprise's federation policies to allow identities provided via Facebook, Google, other directories, etc., to be accepted when identifying partners, suppliers, etc. within the enterprise.

        Consider: If your company had, for example, a SharePoint doc portal that you wanted to share with partners and suppliers, some of whom were individuals, some of whom were from other agencies and companies, how would you provide everyone with a valid credentials to be able to login to said portal? And how would you ensure that those credentials are correctly managed and maintained when, for example, a supplier's employee leaves/is terminated?

        Federation leaves identities at the organizations best able to manage them whilst allowing organizations to broker identities across organizational boundaries.
  • Finally a serious comment from Matias

    I will be glad to see more of the same and not the usual I-love-I-hate babble.
    For example to post this here I had to open a zdnet account.
    And if that's not the best example?
  • microsoft

    cloud is not safe and will not ....to companys do not put my info in the cloud because i will sue you big time i will not hvae my info stole again
    • nothing IS safe.. its just shades of grey

      there are malware on OSX, there are hacks on iCloud, there are ignored and misunderstood permissions on Android and flaws in flash player for almost all platforms.. there are JS injection codes for practically every browser version popping up weekly.

      what makes one 'safe' is not necessarely how they store or keep data or what platform/vednor they choose, but how they react when potential breach occurs and how they monitor for those attacks occuring.

      As for WAAD, I believe it will have great pickup, especially if bundled with O365 ADFS scenarios ....