For many companies, Microsoft Azure Active Directory (Azure AD) was the basis for a coordinated step into the cloud, by extending the reach of their existing on-premises Active Directory to the cloud. For others, Azure AD was at the beginning just something that came with Microsoft Office 365 – just another target system when it comes to IAM (Identity and Access Management). However, we are talking to more and more corporate executives who are considering whether Azure AD's role should become a more strategic element within their IAM infrastructure.
There is no simple answer to this question as it depends on a variety of aspects. This starts with your overall strategy for IAM and the way you intend to deploy IAM in the future. It depends on the breadth of applications and services you have in place and on how to best integrate these. It depends on your existing IAM tooling and other factors. For the future IAM strategy, it is worth re-thinking your approach – the concept of an Identity Fabric might be a great starting point for re-visiting your strategy.
Azure AD is, without any doubt, one of the leading offerings in the IDaaS (Identity as a Service) market, serving far more than just the Microsoft environment. There is a huge range of pre-integrated SaaS applications available, thus allowing Azure AD to become a central element in the Access Management strategy to SaaS services.
Notably, discussing a strategy role does not equal “should Azure AD become the one and only tool for IAM?”. Given the breadth of requirements in IAM, ranging from Identity Provisioning and Access Governance to Web Access Management, Identity Federation, Privileged Access Management and several other topics. For some scenarios, even the answer to that question could become a “yes”, but for many, it won’t, due to the breadth and depth of requirements, the existing infrastructure, and other factors.
Obviously, cloud-based IAM solutions (IDaaS) are gaining momentum and will continue to do so, with an ever-increasing share of the critical workloads moving to as-a-service models. When these workloads are run from the cloud, running IAM from the cloud as well is just logical.
While there is not a simple answer, I want to give four recommendations:
Carefully follow what Microsoft is doing around Azure AD to understand which of your requirements are met and which aren’t, and which might be met soon.
Review your IAM landscape and revisit your IAM “architectural blueprint” for having a clear strategy on how to evolve (or even modernize) your IAM.
Reconsider ownership of Azure Active Directory – regardless of how you use it, it is part of the IAM landscape. Ownership should not be with the Office 365 team or an infrastructure/client management team, but with IAM.
If you already integrate the on-premises Active Directory and Azure AD, consider reverting the order of integration – with Azure AD being the lead.